Keepass and KeepassXC are just a real blessing. Though I've been using password-store now, this is something I may use KeepassXC for a little bit longer. (Wish I had a YubiKey, tho :"v)
I really appreciate your channel for the education you provide in mitigating the common problems of cyber security that start between the chair and keyboard. Most of the world have entrusted ourselves to the various corporate structures like Windows, or Google, McAfee, etc, as the default, easy go to, for our "security". For myself, I didn't even realize UBKey and KeePassXc, or other options were even a thing until I stumbled upon your channel. I've been learning things!
The earliest known use of the noun authentification is in the mid 1700s. authentification is a variant or alteration of another lexical item. Etymons: authentication n.
Honestly, I was stuck using a passkey for a single application and this new feature actually got me unstuck. Don't get me wrong, hardware keys are useful, but the fact you have to purchase this extra piece of hardware never sat right with me. I consider it the equivalent of having to buy pre-encrypted hard drives just to encrypt your system. It's nice having a free alternative that anyone can utilize.
This can happen with hardware keys via snooping of the USB ports. However, the way the Passkeys and hardware security keys work is that it uses private keys stored on the device or in this case KeePassXC that aren't leaked so without that they can't do anything.
All fine and dandy but what happens when the usb stick dies? I use KeepassXC with no browser extension and it works for my needs. However, I do not have a need to hide from i.e. - the government (yet). Im not knocking passkeys its just a extra layer I really do not need. Great video though! I noticed that your putting more work into graphics and it shows. Nice job :)
Back up back up back up! He mentioned he uses 2 Yubikeys, one in case something happens to the other. This is smart if that Yubikey is the _only_ way to log in. However having it as an alternative to your password is also a valid use case. Say you're out in public and don't want someone to see you type your password for example.
@@soulstenanceI understand what you are saying. On my KeepassXC all I do is hit the auto-type button and it fills in my credentials but they are hidden from viewers (if any). So like I said. Im good with just KeepassXC - In my situation. Everyone is different though. Thanks for the reply :)
@@northpoint1039 That also works. Auto type is pretty cool, just be careful you've selected the right fields. I set a short delay long enough to select the fields I want to fill.
I don't currently use hardware keys or passkeys myself. My point was, anything you value, you should have a backup of somewhere, including your actual Keepass vault. Nothing is forever.
@@soulstenanceI backup to a mirrored raid and then it gets backed up to another mirrored raid. That would be my whole home directory (/home) on separate controllers.
You can (how ironic) use hardware keys like YubiKey to secure KeePassXC. Myself personally I use key file that's stored somewhere on my Linux machine so even they snoop the password and steals the database file without the key file they can't do anything with it.
The problem with modern Yubikeys is that they can only store 25 passkeys. Hopefully there is a new Yubikey someday that can store thousands of passkeys.
Passkeys use discoverable credentials on hardware keys. Hardware keys are good, but discoverable credentials are not since they are both limited in storage since you need the key to store them, and they are discoverable. U2F is much better since it uses the same math, and is just as strong. But this is the key feature, U2F stores NOTHING on the hardware key, so if you lose the hardware key, its like losing a house key, the bad guys have to try it on every lock in the city to see where it goes. A passkey is discoverable on the hardware key, so it would be like losing your house key with you address printed on the key... not good. Ideal is password plus a U2F hardware token. Passwords, especially with KeepassXC are something you know which is more legally protected in more nations than anything else, and they'd have to physically beat the keys out of you anyhow, back that with a hardware token and you've got a hard target.
Hardware is always better. Nitro Key is the brand I recommand. Thing is it is already a miracle if you convince a normie to ditch his 1 password for all sites and use a password manager. If they choose a Password Manager they go for the most popular which is closed source and gets hacked every other day of the week. So if a normie uses Bitwarden or better KeePassXC it is already a big win for them even if they don't have harware. Again i totally agree with you U2F for the win. All sites need to implement U2F
How do we use passkeys on Linux for applications (not websites) without a hardware key (e.g. Yubikey)? On Windows 11, you can use Windows Hello for passkeys stored on your PC. On macOS, you can use iCloud Keychain. On Linux, you can use...what? KeePassXC only works for website passkeys, not application passkeys.
What exactly are you expecting here? Yes, Windows and MacOS have "automated" ways of delivering passkeys to applications, but you have to put those passkeys in Microsoft's or Apple's Cloud to get that functionality. And you're fine with those two companies storing those passkeys, are you? An alternative in Linux is the command line based "pass" application which does similar passkey storage to Keepassxc. It also has browser extensions and because it's a command line application, it can also be accessed using scripts and a GPG agent. You make the choice - either have "your backside wiped" by Microsoft or Apple, and pay them with your privacy, or do a little bit yourself and occasionally have to "cut and paste" a passkey into a prompt on Linux.
@@terrydaktyllus1320 "What exactly are you expecting here?" To be able to use and manage FIDO2 passkeys made for Linux applications, and do such things without needing a security key or a CLI.
@@bigjoegamerEfficient usage of Linux requires knowledge of the CLI. If you're not willing to put in some time and effort into learning the CLI then that's the problem right there - don't blame Linux for your unwillingness to learn. Like I said, if you need "your backside wiped", Microsoft and Apple are more than happy to do that for you, with your privacy as the payment. Perhaps be a bit less "bigjoegamer" and a bit more "bigjoepoweruser".
@@bigjoegamer If you want a magical GUI with effortless integration with other apps, you’re definitely looking at Windows or iOS. Even if it comes to Linux it’s more likely to be an enterprise feature of RedHat or something rather than ubiquitous across user-oriented desktop distributions.
There isn't sadly. But it's helping me move my account usage away from my phone as much as possible. Because sending passwords to my phone, or, omg, manually typing them, is incredibly inconvenient!
You should not talk about security. I'm a consultant in this area and it is totally easy to get all your passwords. If you have maleware on your PC. The whole Idea is, to don't have the 2nd factor on the same hardware system, like the first factor. ^^ OMG
This is a great explainer on how KeePassXC supports passkeys. One note though that's kinda irksome given this is a security related video... you are pronouncing "authentication" improperly. Authentication has five syllables. You are pronouncing it with six syllable... adding an extra "Fuh" syllable that doesn't exist. It's just odd man... It's pronounced au-then-ti-kay-tion. You are saying "au-then-ti-Fuh-kay-tion".
Bitwarden DOES NOT “have your passwords on the Internet”!!! It has the ENCRYPTED version of your passwords, which is NOT THE SAME! Ignorant, exaggerated claims like that is what makes an “expert” lose credibility!
love keepassXC
Keepass and KeepassXC are just a real blessing.
Though I've been using password-store now, this is something I may use KeepassXC for a little bit longer. (Wish I had a YubiKey, tho :"v)
I really appreciate your channel for the education you provide in mitigating the common problems of cyber security that start between the chair and keyboard.
Most of the world have entrusted ourselves to the various corporate structures like Windows, or Google, McAfee, etc, as the default, easy go to, for our "security".
For myself, I didn't even realize UBKey and KeePassXc, or other options were even a thing until I stumbled upon your channel.
I've been learning things!
Great Topic and tutorial. Simple and easy to follow. The algorithm needs to push this video. It will benefit everybody.
"Authentification" is not a word, to my knowledge. The correct word is "authentication."
If you understood what was being said, it matters not at all how it was said. Pedantry is unnecessary.
@@billbliss7407 Considering the personality of the Y-Tuber saying the word, being pedantic is appropriate.
The earliest known use of the noun authentification is in the mid 1700s.
authentification is a variant or alteration of another lexical item.
Etymons: authentication n.
Nice! Really, really nice!
Thanks, Tom!
Great program. Thanks for this video!
Thank you!
Great information as usual on this channel.
Thank you for this valuable info
Honestly, I was stuck using a passkey for a single application and this new feature actually got me unstuck. Don't get me wrong, hardware keys are useful, but the fact you have to purchase this extra piece of hardware never sat right with me. I consider it the equivalent of having to buy pre-encrypted hard drives just to encrypt your system. It's nice having a free alternative that anyone can utilize.
Im always wary of using password manager extensions. Seems like they'd be a snooping/exploitation vector for malware.
This can happen with hardware keys via snooping of the USB ports. However, the way the Passkeys and hardware security keys work is that it uses private keys stored on the device or in this case KeePassXC that aren't leaked so without that they can't do anything.
All fine and dandy but what happens when the usb stick dies? I use KeepassXC with no browser extension and it works for my needs. However, I do not have a need to hide from i.e. - the government (yet). Im not knocking passkeys its just a extra layer I really do not need.
Great video though! I noticed that your putting more work into graphics and it shows. Nice job :)
Back up back up back up! He mentioned he uses 2 Yubikeys, one in case something happens to the other. This is smart if that Yubikey is the _only_ way to log in. However having it as an alternative to your password is also a valid use case. Say you're out in public and don't want someone to see you type your password for example.
@@soulstenanceI understand what you are saying. On my KeepassXC all I do is hit the auto-type button and it fills in my credentials but they are hidden from viewers (if any). So like I said. Im good with just KeepassXC - In my situation. Everyone is different though. Thanks for the reply :)
@@northpoint1039 That also works. Auto type is pretty cool, just be careful you've selected the right fields. I set a short delay long enough to select the fields I want to fill.
I don't currently use hardware keys or passkeys myself. My point was, anything you value, you should have a backup of somewhere, including your actual Keepass vault. Nothing is forever.
@@soulstenanceI backup to a mirrored raid and then it gets backed up to another mirrored raid. That would be my whole home directory (/home) on separate controllers.
Bitwarden is okay. For multi device usage
I didn't know KeePass had a browser extension. Is there an advantage of one over the other?
The browser extension enables automatic filling of username and password fields
You need the base app either way. The extension securely allows you to autofill fields with one click vs having to copy and paste all the time.
Should I worry about typing my master pass into keepassxc in Windows, considering M$ keylogs everything anyway?
You can (how ironic) use hardware keys like YubiKey to secure KeePassXC. Myself personally I use key file that's stored somewhere on my Linux machine so even they snoop the password and steals the database file without the key file they can't do anything with it.
The problem with modern Yubikeys is that they can only store 25 passkeys. Hopefully there is a new Yubikey someday that can store thousands of passkeys.
You could also use the USB to store passkeys in the drive by storing the KDBX file.
I agree they need to expand to several hundred passkeys.
Passkeys use discoverable credentials on hardware keys. Hardware keys are good, but discoverable credentials are not since they are both limited in storage since you need the key to store them, and they are discoverable. U2F is much better since it uses the same math, and is just as strong. But this is the key feature, U2F stores NOTHING on the hardware key, so if you lose the hardware key, its like losing a house key, the bad guys have to try it on every lock in the city to see where it goes. A passkey is discoverable on the hardware key, so it would be like losing your house key with you address printed on the key... not good.
Ideal is password plus a U2F hardware token. Passwords, especially with KeepassXC are something you know which is more legally protected in more nations than anything else, and they'd have to physically beat the keys out of you anyhow, back that with a hardware token and you've got a hard target.
Hardware is always better. Nitro Key is the brand I recommand. Thing is it is already a miracle if you convince a normie to ditch his 1 password for all sites and use a password manager. If they choose a Password Manager they go for the most popular which is closed source and gets hacked every other day of the week. So if a normie uses Bitwarden or better KeePassXC it is already a big win for them even if they don't have harware. Again i totally agree with you U2F for the win. All sites need to implement U2F
How do we use passkeys on Linux for applications (not websites) without a hardware key (e.g. Yubikey)? On Windows 11, you can use Windows Hello for passkeys stored on your PC. On macOS, you can use iCloud Keychain. On Linux, you can use...what? KeePassXC only works for website passkeys, not application passkeys.
What exactly are you expecting here?
Yes, Windows and MacOS have "automated" ways of delivering passkeys to applications, but you have to put those passkeys in Microsoft's or Apple's Cloud to get that functionality. And you're fine with those two companies storing those passkeys, are you?
An alternative in Linux is the command line based "pass" application which does similar passkey storage to Keepassxc. It also has browser extensions and because it's a command line application, it can also be accessed using scripts and a GPG agent.
You make the choice - either have "your backside wiped" by Microsoft or Apple, and pay them with your privacy, or do a little bit yourself and occasionally have to "cut and paste" a passkey into a prompt on Linux.
@@terrydaktyllus1320 "What exactly are you expecting here?"
To be able to use and manage FIDO2 passkeys made for Linux applications, and do such things without needing a security key or a CLI.
@@bigjoegamerEfficient usage of Linux requires knowledge of the CLI.
If you're not willing to put in some time and effort into learning the CLI then that's the problem right there - don't blame Linux for your unwillingness to learn.
Like I said, if you need "your backside wiped", Microsoft and Apple are more than happy to do that for you, with your privacy as the payment.
Perhaps be a bit less "bigjoegamer" and a bit more "bigjoepoweruser".
@@terrydaktyllus1320 Learning CLI is good, but it's not the only good way to use and manage FIDO2 passkeys.
@@bigjoegamer If you want a magical GUI with effortless integration with other apps, you’re definitely looking at Windows or iOS. Even if it comes to Linux it’s more likely to be an enterprise feature of RedHat or something rather than ubiquitous across user-oriented desktop distributions.
Does it work natively with iphone?
I wonder if there's an android version...
Keepass2Android
There isn't sadly. But it's helping me move my account usage away from my phone as much as possible. Because sending passwords to my phone, or, omg, manually typing them, is incredibly inconvenient!
@@soulstenanceThere is an Android version of KeepassXC called KeePassDX.
There is KeePassDX that's what I use
I use KeePass2Android which works pretty well.
You should not talk about security. I'm a consultant in this area and it is totally easy to get all your passwords. If you have maleware on your PC. The whole Idea is, to don't have the 2nd factor on the same hardware system, like the first factor. ^^ OMG
This is a great explainer on how KeePassXC supports passkeys. One note though that's kinda irksome given this is a security related video... you are pronouncing "authentication" improperly. Authentication has five syllables. You are pronouncing it with six syllable... adding an extra "Fuh" syllable that doesn't exist. It's just odd man... It's pronounced au-then-ti-kay-tion. You are saying "au-then-ti-Fuh-kay-tion".
Bitwarden DOES NOT “have your passwords on the Internet”!!!
It has the ENCRYPTED version of your passwords, which is NOT THE SAME!
Ignorant, exaggerated claims like that is what makes an “expert” lose credibility!
If the service is compromised, so are your passwords. No, this is not ignorant nor exaggerated. Just ask all the lastpass people...