Видео

Hi, thank you for watching! Sadly, we got so busy for a while there and didn’t release videos at a steady pace. So it seems like the YT algorithm downscaled our videos. We’re planning a release schedule to add more frequent videos moving forward, so hopefully this will be fixed moving forward.

Debi, thank you for watching and congratulations on deciding to improve your security! On iOS/iPad devices go to Settings > Passwords > Password Options. First, make sure that “AutoFill Passwords” is enabled (slider is green, not gray). Second, under “Allow Filling From:” make sure that NordPass is enabled. Finally, if you only want to use NordPass (this is recommended) then make sure to deselect the other options such as iCloud Keychain, so that your preferred password manager is the only one being used on the device. This last step to keep it clean and to not accidentally save a password in iCloud if you want it in NordPass. Hope this helps!

Thank you!

Hi Mary, thanks for watching our video! In most cases each website has a specific method to reset a password. For something sensitive like government services, this will likely involved a greater degree of proving identity and not simply emailing a reset code to the email on file.

Thank you for the comment and glad this helped! Hopefully you have it set up now and ready to use.

Thank you for the feedback! We will absolutely make an effort to produce better quality and more user-friendly videos for our next tutorials and guides.

Thank you for the kind words. We’re glad you found value in this video!

😊

Lucy, it’s unfortunate you feel this way or had a bad experience. We have nothing but a great experience for years.

@@jehusecurity Well you're lucky then. But I'm not alone. Thousands of people have had their lives ruined byProtonMail. Sure, the CIA spies on me through Gmail. But they never caused me any problems!

@@jehusecurity Ok for you, Jehu. You are a professional IT geek. Most of us are not.

Thank you, Sonne!

Hello Headbangrr, thanks for watching our video! No, Tutanota cannot be integrated into a mailbox app like Outlook, Mail, or Thunderbird. They do have their own mobile and desktop app that works and looks well. Largely it seems like they restrict this because they want more control over how messages are encrypted/decrypted on the device for enhanced security. Proton Mail does have a way of supporting this through a bridge application for desktop/laptop. So, if being able to have all your mail in Outlook is important for you then you might consider that. Otherwise Tutanota is a great choice.

@@jehusecurity okay thanks

Mario, Thank you for watching our video. That’s exactly the right question! They run Wickr Me off the same platform that they run their enterprise solution Wickr Pro platform on, so the increase of demand is a minimal impact for this free version. Last year, after this video, Wickr was bought by Amazon. We have considered making a follow up video to this, since that may change the threat model necessary for this particular product. We may still do that, but are trying to assess when there’s a real change in the core encryption or message handling code. To be transparent, there has been no obvious signs that Wickr Me’s security or privacy has been compromised or impacted. Amazon seems most interested in adding a secure enterprise communication platform to their offering through Wickr Pro. However, this acquisition is something to take into account when determining if this product is right for your needs. Something like Threema may be a better alternative.

Da Beast, while we can’t speak to every case we would make sure you’re searching by username and not only your contact names. This usually requires that you know the username of the individual you’re trying to communicate with. This does make Wickr Me more challenging as a primary messaging app, since users are not required to register a phone number or email. However, it may still work well for some use cases where anonymity is more desirable.

Moonlight, thank you for watching our video. Yes, you can either share an encrypted Cryptee document with someone who has the app (they can create a free account) or you can export to pdf, Word or markdown format and share from there, all within the app.

Vwy, thanks for watching the video. If you have a paid account, or have at any time in that account’s history, then nothing happens. Proton has stated that accounts that have ever been paid, even if they are subsequently downgraded to free, are exempt from inactivation. However, if it is a free account (and always has been) then after 12 months they only reserve the right to inactivate it and/or delete all data. It sounds like they lean towards more leniency here rather than strictly locking and deleting accounts.

Thabo, thanks for watch the video. Yes, the fact that Tutanota doesn’t recycle usernames is something that we considered as having an impact later on. We’re sure they did, too. For now, there are multiple domain options to choose from besides the obvious (at)tutanota[dot]com. We imagine they’ll add more over time. The whole reason for this is to prevent personal data leak or account take over/recovery from using abandoned email addresses tied to accounts. Generally, we find this to be a good thing even if it makes the signup process more… challenging.

Roshan Hegde, we’re glad that you like our video! We love Cryptee, too. It’s a phenomenal document editor and photo storage solution. If you don’t know, they just made some amazing updates to saving and the way they handle photos.

Monkeyy Gaming, thank you for another friendly comment. Stay tuned as we continue into our “Security Fundamentals” topics over the next few weeks.

Topper Worship, our pleasure! We hope it was helpful.

Malice Rising, it’s certainly unfortunate to purchase the wrong product. However, if you choose to keep it, Nord Pass is a fine way to store and use unique passwords for all your accounts.

AStupidMonkeyy Gaming, Great question! While we presented some examples in the video, there are any number of ways that threat modeling could be used for each situation. As we discussed, the most important thing is to understand the process of how to think about potential threats and have a framework to approach them. In the case you described it's important to understand what you are trying to protect. It could be the data you have in emails, on your social media, location, or purchase history. Determining the worst case risk here is challenging for some people because it can be hard to describe the impact that personal data has on your life or well-being. However, we would suggest that the aggregate loss or involuntary disclosure has a very deep impact. In your suggested concern, the bigger issue is how to address the risk. For Google or related companies, this might mean transitioning to more privacy focused services where possible. To be clear, Google is very secure but terrible with privacy. These two concepts are not the same, even though a lot of people discuss them as though they're interchangeable. One method of protecting your data is to thoroughly review the settings on these services and restrict as much information gathering as possible by "opting out" to anything you can. But realize that this sometimes only has minor effects. Another great defensive control is limiting the type of information you share with these services and the frequency of that information.

Brian, We’re very glad you like our channel and content. We’ve taken down both of your recommendations and will come up with something soon. We’ve considered adding a playlist of “By Viewer Request”, or something to that effect. Stay safe!

Jerry, thank you for watching our video.

Brian, the most basic reason we avoid Apple KayChain in our videos is to demonstrate the other password managers and to prevent duplicate entries or software competition between two password managers (I.e., both trying to save a password). We also aim to offer advice that requires the least complexity to implement while providing the greatest security. Since many viewers may use devices across multiple operating systems, a unified approach typically is easier to stick with. That being said, Apple’s KeyChain is actually a very secure password manager and there’s nothing we’ve seen to indicate that there is great cause for concern. If an individual uses devices almost solely within the Apple ecosystem, then we would recommend KeyChain since it is highly secured with Apple’s Secure Enclave and the plain text passwords are not synced to iCloud. There is a new iCloud Password extension for Chrome-based browsers (Edge, Chrome, and our favorite Brave). This does allow a use with Apple phones and/or tablets to use KeyChain on Windows computers.

Brian, now THIS is a great question! We are remiss for not clarifying this in the video (although slightly out of scope for the video’s intended purpose). The source of revenue for any company providing a claim of privacy is extremely important. Signal survives on donations in almost all cases. This is either through direct donations through PayPal or cryptocurrencies, or indirect donations through Amazon Smile (it appears like they earn somewhere around $3-5k/mo from this). The exceptions are few, but most notably in 2018 Brian Acton (co-founder of WhatsApp) “invested” or “donated” (the exact distinction of what return would be expected, if any is unclear so it’s probably just a donation) $50 million to Signal after resigning due to privacy concerns with Facebook’s direction with his app after they bought it. Keep in mind that while they have a polished website and great app, this is the work of only a handful of people, and have a pretty decent group of volunteers offering help on their open source code.

Alan, yes they do. Proton uses the bridge to connect their emails through their servers and Apple Mail (or other mail clients like Thunderbird) simply display the emails. As a note though, do keep in mind that an email from a third party (i.e. Gmail, Yahoo, or any other non-ProtonMail provider) will still pass through that service’s servers. Meaning, if someone sends you an email from an @gmail account their email and it’s contents will be seen by Google before being transferred to Proton’s servers. You can send an encrypted email to these addresses from your ProtonMail account, which will prevent the other servers from scanning the contents. This provides privacy and security at the expense of some convenience (that is, the recipient will have to click a link to an https website to open and read the email). They can then respond through this to again prevent snooping.

@@jehusecurity Thank you for the clear and comprehensive answer. If I am sending and receiving messages through the Proton Mail servers, even though my sender or recipient may be subject to privacy issues, my identity is not revealed? I understand the content of the email is vulnerable, but am I correct when I say my identity is still private?

@@alanzweig4799 It becomes a bit complicated, but at the core the answer could be that your identity is offered protection from being revealed. We don’t mean to speak in riddles, but the degree to which your identity is shielded would depend on a few details: 1) Does your ProtonMail email response give away your identity? (That might be if you have set your real name or a known sobriquet to the name field.) 2) How often have you emailed this person and could the contents of the emails revealed (or unmasked) your identity? (Such as referencing things, like accounts, that are clearly mapped to your real identity.) 3) Is it possible that your recipient knows your real identity and has saved your email as a contact tied to your real identity? (Google, Yahoo, and some others will have access to contacts saved in their users’ accounts and often in their devices, if the permissions are given.) 4) Do you send the emails encrypted, requiring them to enter a shared secret and access the email via a secure link? Depending on the answers to these questions (and some other matters) it could be that your identity is still protected. ProtonMail has among the highest thresholds for revealing account information, and it’s extremely unlikely that they would reveal it to any company or anyone who is not a Swiss legal authority even in those rare cases. Understand, though, that email is considered terribly open. Among other things, your IP address can be transmitted in the header of the email. If your threat model calls for discreet communication which protects your identity, then it may be better to seek other forms of communication. Signal, Wickr Me, and Threema are great options for full featured messengers. We have videos currently on the first two. Onion Chat is another possible way, but isn’t as feature rich or as intuitive for many. We do have plans to include videos for Threema and Onion Chat in the near future.

Hello James. For most users, setting up the password manager in either place should be safe. We might slightly lean towards conducting the initial account setup and vault creation on the iPhone, which does offer a more robust privacy environment. Keep in mind the vaults are actually created in the 1Password cloud unless you choose the local storage option. However, local storage would prevent syncing across devices and would likely not be best for most users as it would break much of the usability features for multi-device households. Once you have it setup, then install the app and/or browser extension anywhere you’d like and it will sync across the devices quickly. For most users, creating a new login on Windows in the vault is safe. We would recommend Brave or Firefox browsers for the best privacy and security. Generally, Brave may be more secure “out of the box” but Firefox is a stellar option, too.

Family Grant, you can block email addresses (or even entire domains) from the web interface. There isn’t an option for this on the mobile, which we admit is odd. Go to Settings → Filters → Spam filters → Block List → Add. You can mark an email address as Spam from the mobile app which will still deliver the email address but send it directly to the spam folder, but this may not be desirable in certain cases. In those cases you would need to login on a browser and block the address.