May 18, 2023

Collaborative Password Management with Passbolt | Episode #65

In this episode, I'm joined by Kevin Muller, Founder & CEO of Passbolt, a company transforming how businesses handle passwords with its open-source platform that emphasizes security, transparency, and user privacy. We dive deep into the company's inception, unique security features, the balance between security and usability, and Passbolt's vision for the future. In light…

Play Episode

In this episode, I'm joined by Kevin Muller, Founder & CEO of Passbolt, a company transforming how businesses handle passwords with its open-source platform that emphasizes security, transparency, and user privacy. We dive deep into the company's inception, unique security features, the balance between security and usability, and Passbolt's vision for the future. In light of the rising importance of cybersecurity, we also discuss Passbolt's response to notable security incidents and its approach to ongoing challenges in password management and how they aim to make password management more secure and manageable for teams and enterprises.

The player is loading ...

Great Things with Great Tech!

Collaborative Password Management with Passbolt | Episode #65

Apple Podcasts podcast player badge

Spotify podcast player badge

Castro podcast player badge

RSS Feed podcast player badge

Breaker podcast player badge

PocketCasts podcast player badge

YouTube Channel podcast player badge

Show Notes
Transcript

Redefining Password Management focusing on Security, Privacy, and Collaboration!

In this episode, I'm joined by Kevin Muller, Founder & CEO of Passbolt, a company transforming how businesses handle passwords with its open-source platform that emphasizes security, transparency, and user privacy. We dive deep into the company's inception, unique security features, the balance between security and usability, and Passbolt's vision for the future. In light of the rising importance of cybersecurity, we also discuss Passbolt's response to notable security incidents and its approach to ongoing challenges in password management and how they aim to make password management more secure and manageable for teams and enterprises.

Passbolt was founded in 2011 and headquartered in Luxembourg

☑️ Support the Channel by buying a coffee? - https://ko-fi.com/gtwgt

☑️ Technology and Technology Partners Mentioned: OpenPGP, KeyPass, DevOps, FIDO Alliance, KeyCloak

☑️ Web: https://www.passbolt.com

☑️ UI Walkthrough Video: ⁠https://www.youtube.com/watch?v=XD3lZFyniCE

☑️ Crunch Base Profile: https://www.crunchbase.com/organization/passbolt

☑️ Interested in being on #GTwGT? Contact via Twitter @GTwGTPodcast or go to https://www.gtwgt.com ☑️ Subscribe to YouTube: https://www.youtube.com/@GTwGTPodcast?sub_confirmation=1

Web - https://gtwgt.com Twitter - https://twitter.com/GTwGTPodcast Spotify - https://open.spotify.com/show/5Y1Fgl4DgGpFd5Z4dHulVX Apple Podcasts - https://podcasts.apple.com/us/podcast/great-things-with-great-tech-podcast/id1519439787

☑️ Music: https://www.bensound.com

Transcript

RAW Trasnscript

you know when you buy food you're looking like okay how can I get the best food that I want I want something organic I want something that's done right and we wanted to have this kind of software when it comes to password management hello and welcome to episode 65 of great things with great Tech the podcast highlighting companies doing great things with great technology my name's Anthony Spiteri and in this episode we're talking to a pioneering company in open source password management ensuring

businesses can securely and efficiently handle their sensitive data with their Innovative platform they're redefining the way organizations manage their passwords and credentials that company is Passbolt and I'm speaking to founder and CEO Kevin Muller welcome to the show Kevin thank you thanks for having me it's a pleasure to be here no worries just before we dive into the world of passwords and the platform that you guys have created at Passbolt um I just want to say that if you love great things with great Tech would like

to feature on future episodes you can click on the link on the show notes or go to gtwgt.com and register your interest just as a reminder all episodes of jtwjtr available on all good podcasting platforms the Googles the apples spotifys all hosted and distributed by Spotify podcasts and finally please go to YouTube at gtwgt podcast subscribe and follow to get all episodes Plus or future episodes and with that okay let's talk about you know pass bolt and a company that you're in Luxembourg number one which is great I've never

interviewed anyone that's in Luxembourg so really interesting we were talking a little bit we were talking a little bit about that about the link to that in Malta my home country but maybe give a little bit of a background first on yourself where you came from and then talk about the lead up to you uh founding passport yeah sure absolutely well uh you know nothing was really uh predicting me in my life to form the company like passport because I'm a guy who come from sociology in the first place even cyber

security not even I.T but I'm a self-taught person so even when I was a sociology student you know I used to sell ethical hiking services to companies that are based in Europe and also in Luxembourg so I don't come from luxembrook I'm a french guy but uh France is very near to luxembrook at least some part of France the part I come from and that's how I ended up working with some companies over there and the story of passports basically was uh did not start in Europe it started in India uh because after my studies I got the

chance to start to do an internship in India and after this internship I started my first company with which was a digital agency and passport was actually born in that digital agency so the initially we didn't have any commercial ambition or we didn't see we were not even planning to make it available as an open source product we built the first version really to solve our own problematics and the problem we were having was that we were a technical team managing a big amount of customers and for each customer we are undertaking uh

the first thing the customer would do was to send our passwords to us by email you know the password that our team would need in order to do their job to connect to the system to the social media but also to the server through SSH or to connect to the API so this was sent to the project manager who had then to distribute it among the team members and we had a big security problems because our project managers were doing that by email or by Skype or something else but I was to be honest at the time I was really more concerned about the

productivity issues the fact that the passwords are changing all the time you have big volumes of passwords to handle and in order to fix that we are using keepass but I'm not sure if you're familiar with keepass I was yeah it's one it's one that I used back in the day as well so yeah very familiar so keep us is amazing you know I I think keep us create a sense of trust uh with users because it's open source it's audited and it's a very simple app but the problem of keepass it has its limit

when it comes to collaboration so when you're working in a big team what happened in many cases and at least that's what we hear from our customers and users is that you have a key password that becomes really big with initially dozens of passwords and hundreds of passwords and at some point what you want to do is just like okay how do I share this subset of passwords that are really relating to a specific projects to a part of my team you know and then you can do you can like copy the folder and then create

another keep us archive and then send this archive to the other team uh using a different Channel but then the problem is like how do you know where your passwords are going yeah it's track right like you've got nowhere to track where your passwords are and you can lose absolute control of the end resting place for them so they're always vulnerable exactly it becomes a hot mess very quickly uh you you don't feel in control and that's the reason that pushed us at the time so I say at the time it's uh

we're talking back in 2011 so a long time yeah uh and basically we started looking at password management solution online uh we're like okay someone must have fixed this problem and it's true they're aware of password managers that were available in the market but the problem is we were a technical team and we have more sophisticated needs than what the password managers were available we're providing so typically what we wanted to do is to be able to share with granularity like I want to

click on one password share only this password with one person from my team and once I've shared it I want traceability what happens you know I want to be able to see the the activity logs I want to see how does this did this person share it with another person I want to have off-boarding report like this person is leaving my organization what is at risk what password should I rotate so that was the first part the second part is as technical guys privacy is a real concern for us so you know we were using Drupal WordPress Linux

systems and we wanted something that was open source like we want to be able to install it on our own server we want to have control on our data we want to be able to edit the source code if they did we want to be able to build on top so that was the Privacy slash open source uh aspect of it and the default version of passport was really focusing on these two uh USPS uh these two particularities only for us we developed it uh took six months to develop the first version started uh using it internally and then

with our customers and partners around the company and the reaction was always the same people were like oh my God where did you get this software yeah you know why we are looking for something similar and the story was always the same very often we would hear we are using keepass we want to transition to something more collaborative and everyone as I said loves Keepers because it's trustworthy it's been audited a lot of our French users are fond of it because it's been audited by ANSI I I understand yeah part of the French

government you know and it's a big trust stamp but they're like okay we want to be collaborative with it and once they discover password which was not called password yet they got quite enthusiastic so that's all we understood that uh okay it was not only us that there was a lot of demand from it and at that time I was leading my web agency I basically I let my business partner of the time continue with it and I really wanted to do a product based type of business yeah so I contacted Cedric and Remy who are a long

time friend childhood friends cyber security guys okay so they're already in the business so and you mentioned you did a little bit of cyber sort of ethical hacking and whatnot before you even got your internship at India went to India right so well I was very curious in that how did you get into that was it because of your friends or was it I think no curiosity you know at that time uh internet was not what it is today yeah there was a lot of open doors everywhere there was a lot of very fishy forums well that's a lot of information

you know like Frank magazine and this time yeah uh so you know that what I think when I was we had this device in France that is called the minitel it was the first it was before the internet it was our own version of what the internity is but it was fully proprietary so basically a military was a a kind of computer that you buy from the Telecom services and that gives you access to uh online chats sort of like a sort of like American online a little bit like how that first sort of Internet it was more like a

closed internet where you bought into it not only a certain people that bought into it were part of it that's quite interesting yeah yeah so I remember my dad that bought this and uh my first reaction was not to use it was to wait for my parents to sleep at night in order to dismantle it and understand how it's built ah yes okay so I think the way I went into hetikala King was more like out of curiosity out of like okay how are these people building their systems can I dismantle it can I find a a way in but in order to understand you

know how we how they are like uh put together yeah and I think also what you've shared there in terms of the founding leading up to you know when you say you had your friends together and you said you want to start a company and you've still got to talk about how passport came but I think again the it's a necessity like Innovation is a necessity of invention as well right so you literally had a a need for something to do um a little bit more than what keepass could do inside of your company and you

focus on collaboration and I think you know we're probably going ahead a little bit but from the UI that I've seen and that I've played with you know with passbowl collaboration is built directly into that into that platform like nothing I've seen with a password management system so the fact that you know you you focus on security privacy and collaboration as a platform is very much a unique differentiator for you guys but maybe just talk a little bit what you're about to um get into which

was when you asked your friends about starting a company yeah so I think I got uh either lucky or I was good at teaching the idea but because Remy and Cedric were having a job at the time and a very nice job you know in big companies uh and uh I took a plane and Civic was living in Luxembourg and Renee was living in the Netherlands and uh I went to meet them separately and I was like look guys I'm sure uh there is something there we should dig and we are gonna have a lot of fun you know because that's that's what we

understand we are technical guys we are gonna do privacy security and collaboration in a single platform that is open source we are not I was not fully sure at the time that uh the platform would remain open source I was not fully sure Direction but basically once they got convinced uh we sat around the table and we had a very open discussion about what it is that we want to build uh and what values we want the software to have you know it's not just the company because they did not join the project for business reasons it was

not about making money it was really about building something that has a meaning for us you know and something that we really believe in in terms of do people need it uh how it should be done how should the architecture be done how should the security model be done I think there was a a bit of frustration from all offers because you know the the security Market uh has a lot of players and there are a lot of buzzwords there are a lot of uh marketing messages yes that you know seem like all over the place and we were like no we want

something like transparent we want something like uh you know the the organic version you know when you buy food you're looking like okay how can I get the best food I want something organic I want something that's done right and we wanted to have this kind of software when it comes to password management I think the fact that you've come at it from that angle to start with and you know the founding of the company is based on not just you know what you'd call corporate grade or making money or

a quick a quick dollar I mean it's very you know commendable to to the group right so and obviously you know going down the open source path as well what are the challenges there in going open source versus you know going commercial from the outset so the first thing I have to tell you is that uh you know we've been wrong many times and uh I you know we're in a very comfortable position when we started working on passport in the sense that we had a bit of cash and we had a lot of time in front of us and uh this was a

big Advantage because it gave us plenty of time to think the security model you know to really work hard on it and we did the first version and we are not fully happy with the how it was coming together so we did the first second version we are still not happy then we did the third version initially we had projected that it would take us six months to come up with a first version and it took four years wow okay four years is a really long time in business but once again we didn't know if we would monetize it it was three friends

having fun I'm like swimming up a little bit simplifying a little bit but three friends having fun and really wanting to build something that makes sense so during that initial four years did you have any product out there any betas any versions or were you simply just working behind the scenes behind the scenes wow nothing was released yet uh we had disconnected the first we are the first GitHub repository in 2012 but once we decided to build it from scratch again we removed it so for four years it was absolutely nothing and

all these taxes in 2016 when we are really proud of what we have built you know it was still a MVP stage not too many features but we are proud of the security model it's something really Innovative you know secret key based monetary browser extension you know in order to make sure that the libraries cannot be tampered with and that we can store the secret key in in a safe way we put it on a GitHub repository decided to communicate it to communicate about it first in the French Open Source platform called Linux Affair and this was

deliberate because French people are we know them well of course we are French they are very vocal always ready to criticize you know like social and honest roots and we knew okay we're gonna put it there and have the brutal and honest it and we got it but also a lot of really constructive feedback and a lot of users GitHub stars to start with uh which converted us that we should keep pushing it's not very interesting that you talk about you know the fact that you kind of use a user accepted tested it with a with a culture

effectively as opposed to people right but I I think from what I I mean I obviously know European uh software developers quite well I work with a lot of them and I work with a lot of European customers as well so I do know the feedback differences that you get from um my where I live in apj to America which is very much they don't want to say a bad word about anything and you know maybe an apj they say a little bit but they hold back but I know that in some areas of Europe they really tell you what you think so it's it's probably

the best place to kind of test something right yeah yeah sometimes you don't feel good about it that's good that's how it is fail a lot before you actually do you know succeed I think is the way that you've kind of said it hey talk about you know obviously this this is a it's an interesting sort of question to ask because obviously there's a lot of um you know IP and there's a lot of dangers and going into the nitty-gritties of of a framework and the way that you actually make your platform work to do

the um security but give us a general overview of pass bolt and its capabilities and how you you talk about the private keys and and what was important to you guys but maybe talk a little bit about how you do it differently and why your methodology is not the same as other people out there in the industry yeah sure so they are really different USPS and different angles so uh the high level is uh what passport does is security privacy and collaboration so the the it works differently so first of all we wanted an open source platform

that can be installed in one minute top you know apt get install uh name of the project password your server gets installed you send your first invite to your users and their onboarded super quickly that's the first thing second thing we wanted to keep us like experience so most password managers in the market are built for consumers initially if you look at LastPass one password for example they were all built in 2005.

and if you look at the their UI their UI is really made for consumers in the first place that's because of their history that's not because of a let's say a choice that they made later basically in 2005 and then they rolled with it but with passport we are like we don't want to be a consumer product we want to be a B2B product you know and we knew that we had this pain point in the past we are guys coming from keepass we wanted to retrieve the same experience and keepass is great at managing a large volume of passwords so we wanted a

solution that can manage a large volume of password and then once you have your password in it you can share them in two clicks but um and this is a big differentiator that we have I would say most password managers because I don't want to say all of them there might be some that we don't know but most password managers in the market only allow you to share an entire world or collection so basically you create a collection or a vault you put all your passwords in it and then you'll be like okay I'm gonna share this collection of

passwords with a group of users but the problem of that is granularity if you are working with complex projects you know complex customers you'll have a project that will have a devops part that will have like a website bar that will have social media about you do not want to share all these passwords with all the users yeah you will want more segmentation right so this is one of our USB in passport we have a folder system that really looks like keepass you can click on the folder you can share the first level the the parent folder with a

set of users then you can restrict the permission inside folder expand it again uh in a you know level plus two folder it's very flexible type of commissions and it's really interesting from a security standpoint because we only encrypt what we have to so let's say if I'm sharing a password with you what's going to happen behind the scenes is that the client will download your public key from passport it will encrypt one version of The Secret only for you and then send it to the server and then

the server will notify you so basically the server knows only your own encrypted version of the secret right okay and this is very interesting attributes because if I remove your access to the secret then the server will simply wipe it out it will not be accessible anymore which is not the case surprisingly with many other password managers because they are not able to rotate the the yeah it is used for encryption and it means that once an access is removed in most of them the access is actually not removed from a crypto standpoint and

whoever has access to the server will always add access to the password that have been encrypted once even though the access is removed once again most password managers will download an offline copy of the Vault from the first connection for usability reasons but you know this is very dangerous because this is exactly the same metaphor as you sending your keepass file containing all your passwords we talked about earlier yeah so I give you access to the vault at your first connection your client will download an

entire copy of the Vault that you will encrypt and this means uh the platform manager is just impossible to tell what password you had access to from a crypto standpoint or from a security standpoint it means you possibly had access to all the passwords that you downloaded uh and all these are things that are unacceptable for us and these are our security uh particularities that we have implemented in our security model yeah so you don't have any no offline mode basically it's one of your one of the

differentiators yes that's correct the server is uh as the authority to give you access or not to the secrets that you need at a specific moment yeah so if you need to access a secret you basically click on it in the client or you uh use the autofill feature then the request is made to the server and the seller decide Liberate the corresponding Secrets or not okay and you do have passport clouds that was released in 2019 from from memory so what's that how does that kind of fit into the picture so we developed possible Cloud because

some of our customers were complaining that they wanted the cloud version because they started on-prem and then they realized that on-prem is not for them yeah so they did not have the resources the Manpower all the knowledge to do it themselves but they they really trusted the solution so they started asking us if we could host it for them and once we had like several dozens of them uh we decided that it was time to develop a cloud version in order to fix this this pain point okay and is that um that is obviously

Guided by exactly the same principles that you talked about with regards to if someone uses the app to get installed passport platform yes absolutely and even in terms of privacy uh in the sense that uh the the the the cloud version of possibility associated in Europe so you know it's under European laws and uh which is supposed to be good for privacy I mean well we have laws for privacy which is already modern yes yes yes some that will remain nameless but yes absolutely so yes same principles but the the only difference is that you do

not have access to the hosting so you do not have control over the hosting but you have control over everything else so you can export your password we can you can even ask for a backup we'll provide it so you want to shift from Cloud to on-prem this is completely possible and the opposite is also is also true okay good stuff I think um one of the good things that I mean I'm gonna I saw a great video on your YouTube channel about um the UI and the ux experience specifically tailored around what you were talking around around you know the

ease of use the sharing the collaboration and yeah the different teams it's almost like the role-based access collaboration built straight into the project so or platform sorry I will link to that in the show notes so people see that video because I think it's a really good example and a good you know manifestation of what you've just talked about and I think one of the cool things that I liked about that video is it had a section where it said real devs don't use uis so obviously explain what that

is with regards to passport how you've gone beyond just that you mentioned the managers that were created in the mid-2000s have that consumer-based UI so how have you gone about making it Dev friendly yeah so even when we speak to our users and customers we see a lot of fragmentation in their ecosystem so sometimes we have people coming to us and they are like you know we really want to we want to unify all the solutions we are using because we are using at one for example one end uh one password or B12 then for the end users

and at the other hand we have our SRE team slash devops team that is using uh Vault from ashiko which is a fantastic product but it's terrible for users that are you know non-technical or I would say even non-uh uh server related so they are like some of our users need to connect to volts in order to get some of the secrets you know and do something else we did so we are looking for a solution that can really unify it and that's exactly what passport does as a platform it helps different teams cross-functional teams non-tech guys

Tech Guys devops guide work together in a single platform so for the server slash devops guys we are providing SDK we are providing a CLI uh we are providing the tools for them to integrate with password so we are seeing a lot of really interesting uh things happening and contributions uh uh recently one of our users has developed an ancible plugin because he wanted to inject Secrets automatically from ansible in a CI CD processes so we did an entire plugin and since then is maintaining it so that's really

interesting communities you've got some Community buying as well which is very important yeah yeah more and more more and more it took time to put it in motion but now that the ball is really rolling and we are seeing interesting stuff yeah the we had one desktop app also that came up as a community contribution okay and it worked with the guys you know we are pushing it through the the finish line and what makes it interesting is like you can have your devops team at one then you know we'll walk like completely

without a UI using the CLI or some of the automation but still you will have your report and your activity logs your observability traceability inside the platform you know uh for the users for whom it matters typically the managers or the power users yeah and which is great I think we talked about this uh actually in the Croatia where we said a lot of these platforms are glorified glorified spreadsheets okay yeah and it's clear that from the start you've decided to work against that notion in this industry right and say that yes we want

to have a password management that is more than just a glorified spreadsheet so I think that's what really stands out and again you if you're wanting to see this in action the video that I post in the show notes is going to give you in a really easy way um let's let's talk a little bit about um the Fido Alliance because I think that's something that I was reading the blog post about this so just explain what Fido is what the alliance is and and why it's important for passport to be part of that

yes so they see you already brought we talked about the concept of platform and as a platform what creates value for users is the quantity of use cases that will help them manage and password is much more than a password manager it's like a password manager a secret manager and obviously it's also leaning towards authentication scenarios because once you have all your secrets and your password in the platform what's the next step is like okay how do I get my users authenticated without them seeing those passwords and

obviously now uh uh well the time has come for pass Keys you know and scenarios where people can connect with their fingerprint on your biometric or any other device and this is a use case that we hear a lot about from our community and something we really wanted to embed inside passport so it's still very early for us in the sense we just became a member of the video Alliance uh of course we have already a feature that is being developed internally that's gonna exploit past keys and offer like authentication scenarios through our

users but still very early it will take one or two quarters to have something to show okay I would say good stuff um let's I want to sort of change tack a little bit and pivot to um you know at the end of last year there was obviously a fairly major incident where you know one of the industry heavyweights got absolutely um you know I guess nailed really is is the best way to say it in terms of a leak right um so that meant that from you know December January February it was top of mind everyone was thinking about

password management lots of conversation on social networks about what password manager are you using I'm using this now let's use that um obviously I had bit Warden on earlier and what I what I feel is that we've gone back to a state of people just being almost kind of content with the way that security is again and almost like it's almost like we need major incidents to be able to make the broader Community aware of of security right so how do you number one what do you think about that and then the second part of

that how do you deal with that as a company how do you remain front of mind all the time for us it was uh well it was a good thing that they got hacked because it's terrible for a lot of people of course but for us it was good in the sense that we have spent years articulating our communication and conversations around security and telling people you know our main USB security and a lot of people were like yeah cool but you know your password manager so you have to be secure and I think when this happens a lot of people

in the industry realized okay so it's not because it's a password manager that is secure you know it's like I have to do my homework I need to understand how they are handling their security I need to understand like how things are actually made maybe I should read the white paper of the solutions I'm using and this is what drastically changed in the conversations we are having with once again new customers are coming to us people wanting to leave existing Solutions they're like you know what

we've realized that the security of the solution we are using is not what we want you know they they are just too many risks for example there are a lot of passwords manager that are sensitive to Brute Force type of attacks or fishing type of attacks and typically right after the the hack of the or competitor uh because you know this hack was really terrible in the sense they got access to the Vault they launched a Brute Force attack on this Vault decrypted a lot of them and right after that what they did

is Target the other password managers through phishing attacks yes try to get more of it and because a lot of them are sensitive to phishing attacks uh well the attack didn't stop there uh yeah and I lost the what I wanted to say but yes the so basically the the impact for us is we are having more in-depth conversations uh with the people contacting us and the conversations now are starting much more with the security rather than uh with the features you know security has really become the most important feature

in a password manager adoption yeah I think um and so I kind of parallel that to if I think about backups which is you know obviously the world that I I live in for my day job um and people definitely think of backups mostly traditionally once something had happened once they needed to access that data once there was an attack once something was maliciously delayed accidental dilation whatever it is so I think that's kind of a parallel there and another parallel is is the cloud right so if you have cloud-based

services people just assume that those services are always going to be protected and redundant and backed up and and whatnot but the truth is they're not so there's a lot of Education it needs to go into you know making sure that all sorts of business enterprises understand the risks that they do when they put you know their services in there I think the passwords are a little bit the same with security I think that's that's what those incidents kind of raise it's like just because you've got your passwords

in a Secure Vault does that mean they're actually secure so I think like you said it's generally a good thing I think it makes the bad guys um even more pointy I'll I'll you know I think it makes them more sophisticated because yeah we talk about you know Brute Force being not not super sophisticated phishing is not super sophisticated but it's getting more sophisticated but I think in the top end of attacks where they're trying to actually exfiltrate and get passwords through whatever means possible you have

to have these processes in place as a platform to be able to protect against that and I think more people more businesses know that the more risk there is um so do you do you do you think that is true and then number two where does the ransomware industry sit with the password security industry is it one of the same I just had this thought because obviously ransomware targets something differently on a system but where when you get hacked or when you know you lose passwords is that part of a ransomware attack or is a different type of profile

of attack no well you know as we always say password is the smallest common denominator in any type of attack most of attacks including fishing uh are targeting passwords what do you want to get you do you as an attacker you want to get credentials right yes so once you get credential then you are gonna try it on many other platforms because well you know most people they have simple passwords and they always reuse the same everywhere so that's what a password manager is about okay how you know it gives you a good password hygiene in the

sense let's have complex passwords everywhere and let's secure them in a way that will not make it easy for attackers to access them in the case of possible so see that there are things we hear a lot and that we we are trying to debunk so for example some of uh our customers are coming to us and they're like guys why you don't have an offline mode you know really need an offline mode and they are like okay before we tell you what features we have or not let's have a discussion about the implication the risk implications of

this offline mode are you comfortable having your thousands of users having each a local copy decrypted you know offline copy of their entire vaults in their local machine are you comfortable with this risk because then you need only like one of them to have a malicious software installed and being able to read this copy of the Vault to be able to go further yeah of course and no one's going to say yes to that yeah they are like uh well this is the first time I'm thinking about it you know I didn't know and they're like yeah so

that's the reason why we are not doing it this is not because we want you to have a bad experience with the software is because we consider that it's a security risk yeah and we are a Security First solution in the true meaning of the term yeah like so education is in education for you is consistently happening with your customers as I come and that's and that's around that question in that sort of section that's that's why attacks while they're not great I was obvious I was impacted by

that that big LastPass attack you know and even though I had a fairly strong master password that I you know to be fair probably wouldn't have got decrypted for a long time I would hope you just never know what sort of um computing power is going to be in the future and how quickly they're going to have systems that could do that sort of compute um and could actually crack it so lots of people had to scramble but I think in that sense the whole industry woke up and I think it allowed everyone to be educated and I think you know

while it's not good I think guys like you obviously ended up winning out of it because you had a good methodologies from the start which which you've talked about um just finish off Lotus I'm interested to see where you're going in the future you know obviously you've done you've done some great things I think we get we get the why we understand the value proposition as to why the company was started what you're doing differently so how you've innovated in that space But how are you looking to continually you

know innovate in this market moving forward so I I think uh we could compare a solution like possible to a solution like git lab you know in a different space like uh git lab started with very simple use cases like how do I version my files you know as a developer how like a simple GitHub and later on they added all type of use cases so it's also connected to your CI CD you know you can also do security assessments Etc passport is the same so we have a roadmap that's a bit scary uh it is scary we are scared of foreign

as well isn't it I was looking on the website and you you let um the community vote on certain features as well don't you yeah yeah absolutely so we have two uh two road maps we have one that is on our community Forum where people really come and participate in the conversation give their opinions this is also where we are um uh promoting the specifications before we start building it so uh usually the way it works we uh with the team we'll get you know the the feedback that people are giving us in the Forum

then we'll start on the first version we'll work on the first version of the specifications and once we have something that we are okay with we put it in the community forum for feedback and we do have a good bunch of people who you know check these documents uh giving comments and some time we discover new use cases we're like oh yeah that's smart you know we would not we would never opt out of this if this guy uh didn't mention it so we iterate Paul while and once we have specifications that we think are Rock

Solid we start with the the development work I would say the development work is not what takes the the biggest amount of time it's really like how do we specify it how do we make something that makes sense and as I said we are security first company and any conversation any feature starts with security like does this feature serve the purpose of keeping our customers and users more secure uh so we have the community version of the roadmap that is like a big conversation with lot of items with hundreds of items it's going in all

directions and then we have a more polished roadmap that we have on our website yeah which are like high level features that we are gonna implement but we usually don't provide deadlines because it's it backfires you know then you have a surprise I know very very much about that it's ready when it's done well look I think that's a it's a really good strategy as well and hey we're out of time but it's been a great conversation went very quickly we got through the Lots I think it's a great

story in terms of you know again our necessity a company was born three friends coming in making sure that they wanted to create a product that wasn't just for you know a quick dollar thank you very much for being on the show and this is a fun reminder if you like great things with great Tech would like to feature in future episodes please go to jtwjt podcast or hit me up at Anthony spiteri or anthonyspateri.

net once again if you're out subscribed please go to the podcast station or to YouTube and with that thanks to Kevin and thanks to passport this has been episode 65 of great things with great Tech thanks kid thank you [Music]