Quick note, you obviously don't need to throw this into the cloud -- you can self-host something locally on your own intranet with something as small as a Raspberry Pi if you want. :) Check out all the sweet stuff Passbolt can do! j-h.io/passbolt
I know you were sponsored by them but I would have liked to some honest insight from you about the actual password manager itself, how it does things and how secure it is... etc.. Possibly a comparison with some other prime ones, bitwarden, lastpass. .. I mean I've heard nothing about this one would be bettter or good... (again aside from you being sponsored by them)
@@wolfiexii Yeh... I had high respect for some of the indept videos but this really looked and sounds like a quick sponsor cash grab. No 2FA / hardware key support makes this product null and void. And I guess John doesn't respond to his viewers raising concerns either.
I’m confused, do you mean you want to store your 2FA in your password manager? Or enable to 2FA for Passbolt bc that’s included with the self hosted option?
It's still the digital equivalent of keeping the front door key under a stone. Last pass learned it the hard way. As for using an open source tool for storing your secrets, OS has both the pro and con that everyone can see the source code. If someone finds a bug there's no financial encentive to fix it if the finder has nefarious plans.
Not tryna be mean but comes off to me as shill-y "I need to store my passwords somewhere. I will immediately use Amazon and Google to do this" Though, I am also enjoying watching your videos now that I just discovered them, so props! It is good to teach people about gpg keys and stuff. But there are other hosting and domain options, lol To me looks like amazon sponsored passbolt into sponsoring this video
Looks great but honestly I would not use a password manager that didn't at least support TOTP 2FA just for my own peace of mind. Bitwarden's free plan has TOTP 2FA and also allows self-hosting and free access to their cloud hosted instance. Passbolt looks great but it's not for me until it supports TOTP 2FA for the community edition.
Even if you host it via the „on-premise version“ it doesnt really justify as on-premise as aws can literally do whatever they want to your instance. That includes modifying the passbolt installation to dump your username + password to some logfile ;-) personally i wouldnt trust any hoster with such data.
would've been nice if you followed some best practice and put the instance in a private sub and do the same setup, that would've been great, i doubt anyone would let their passsword manager app just that open.
Sounds really inefficient to use an EC2 instance for such things. Not just are EC2 instances expensive compared to other VPCs, the instance will also probably idle 99% of the time. On the other hand you could just sync your KeepassXC file with S3, Nextcloud, Google Drive, ... For big companies with a lot of users this is maybe useful. But I would not recommend it for personal use. But still there a lambda version would be nice, so you safe costs and do something good for the environment (less electricity, less hardware, ...). And let's not forget to implement a backup system. Keepass synced to the cloud is there already more secure, as copies are local and on the cloud.
I think most people in here are missing the use-case for this. Great functionalities in passbolt honestly. You can admin the access control to passwords for a team eg IT, sales, production etc very easily. This is for businesses. What's wrong with having to pay for that.. I for one thank you John, as this is exactly what the startup I just started working in needed.
Yeah it's great until AWS servers have an oops, and then hashes get leaked. That and MFA is paywalled (i mean come on, this is like an EA game, get a half-assed product and get the rest as paid DLC). imo KeePassXC is the way to go. It's free, completely local, you're in control of everything, and if you need syncing, you can use syncthing, or just copy the database file over to your other device. And if you're *really* paranoid, you can always use a keyfile or hardware key to encrypt your database.
There's no 1 "best" password manager, or "best" anything most of the time. It largely depends on your own preferences and requirements. 1. Do you trust the company who made the password manager? 2. Do you trust whoever is hosting the server? 3. Do you want it to be accessible from anywhere in the world or just from inside your intranet? 4. How many sets of credentials do you need to store? 5. How many people do you need to share some of those credentials with? 6. Do you want a CLI client for automation or just because you love the terminal, or do you just want a plugin/extension that works on your favorite browser? 7. If you're *really* into tech & security, what specific features and configurations do you want on your self-hosted server? 8. How many milliseconds do you want to shave off of each login? 9. [Insert some other seemingly-obscure preferences a bare-bone Linux user might think of] I use Arch Linux but I wouldn't recommend it as "the best OS" to someone asking for a beginner Linux distro. I like Python and Rust but can't recommend them without knowing what someone wants to develop. John's sponsored so he's showcasing it, but for all we know he could have just cancelled his subscriptions after making the video (I'm not saying he did, just that he can). You can use Lastpass if it seems useful. I used it for years until I had some issues with it and switched to Bitwarden because I liked some of the things they offer for free (e.g. not having to pay for MFA).
This defeats the purpose of you watching this whole video. It's most secure since your hosting it yourself. As long as you don't get hacked ( which quite honestly is very slim unless you frequent on sketchy side of the net ) you are not relying on a 3rd party to handle your credentials. Now you obviously are compromising "easiness" over "security", but you are more than welcome to go the easy route and have a higher risk of it getting leaked. LastPass get's hacked twice a year lol
I don’t see why they use an external provider for SSL when certificate manager would have just been another line in their cloudformation script. On top of that, same for cloudfront…
So, it's open source, but all the good functions which would be better than other services are paid? Even freaking folders and MFA? So keepass if you using it for your own or bitwarden for multiple user is still the better option for hosting tbh (and even has a open-source community rust server implementation). And it's 360€ for a year? That's insane... Not an alternative.
have been using self hosted KeePass database on Google drive for the past 10 years. have avoided all the "safe" online password sites and their oopsie-daisies data exposures. I'm good with my solution (which has 2FA built in for those that are going to bring up it's only password)
I kinda wonder why a hacker would recommend your passwords to be stored in a cloud service? that would really be the last resort where i would put my passwords to be honest. Bitwarden has 2fa out of the box. also opensource and can also locally be installed that all and for zero costs .
Passbolt sucked so much when I had to use it. Never again. "stay logged in" never worked and I got logged out after 5 minutes and it got no app during the time. Bitwarden is so much better in my opinion.
@@Freeak6 ye i get that but didnt even hesitate :p not from doing that but ive felt the pain of locking myself out of my servers before and its not fun :(
Why are non of these tutorials on actual in-home clients there all I ya here my rdns like show us a real world scenario where we have a ubuntu computer kicking around and we want to to run on it and be accessable.
Very cool. I still prefer LastPass simply because it has my 500+ passwords and is sync’d on all my devices. They have been compromised a few times though, so that’s one con. I’ve been considering bitwarden, but I’m pretty happy with LP.
this guy is all about money, once asked help because I was robed , nor even responded and I contacted him by email, after I unsubscribed him and lost track , today I see this video, and for this because they sponsored him he makes an huge promotional video...I dont trust the good faith of this guy...just saying...maybe he is a good guy, not to me but who cares right!!!
i’m gonna assume briefly that this comment is legit, most people aren’t gonna help some stranger on the internet get money after being robbed. not easy to even confirm it to begin with, much less figure out how much you should get. you’re not entitled to getting money after being robbed. for the video being sponsored we don’t know much about the contract and that’s common, but we can likely infer that the contract said something about making a video about setting it up. when there’s money changing hands, you need to learn to take what’s being said with a grain of salt, and even then the FTC prevents sponsored videos from being forced to say something they don’t believe. this goes for every creator online, not just john
@@josemicod2 well I did, its not the point, I asked help for understanding how was it done, so if he is so eager to make videos about security if you are here just to promote and get money out of youtube and not even do human things I call him out on that!! simple, but in a normal maner without calling names like you did, fan boy...maybe the idiot is other...maybe you have it so often in your mouth maybe
@@majoryoshi well I understand what you say, the point is I was reaching him not to get the money back for that I made contact with the police, of course he has no power to go after, but because I was in shock and I wanted to know/understand how was it done, it was from a BINANCE app someone hacker entered my pc and entered the security of BINANCE APP like butter avoiding second A2F security...etc...so you are assuming to much I believe
Quick note, you obviously don't need to throw this into the cloud -- you can self-host something locally on your own intranet with something as small as a Raspberry Pi if you want. :) Check out all the sweet stuff Passbolt can do! j-h.io/passbolt
I know you were sponsored by them but I would have liked to some honest insight from you about the actual password manager itself, how it does things and how secure it is... etc.. Possibly a comparison with some other prime ones, bitwarden, lastpass. .. I mean I've heard nothing about this one would be bettter or good... (again aside from you being sponsored by them)
Could you take a look into sliver c2 ?
I can't believe you recomended this without 2FA ... I thought you were serious about security.
@@wolfiexii Yeh... I had high respect for some of the indept videos but this really looked and sounds like a quick sponsor cash grab. No 2FA / hardware key support makes this product null and void. And I guess John doesn't respond to his viewers raising concerns either.
@@JPEaglesandKatz Aye, what starts out good, goes down hill fast when cash and politics get involved.
It is good, but passbolt lacks 2FA unless you pay, which I think should come standard in 2022.
I agree, We've ended up going with Psono purely for the 2FA
A password manager without 2FA? Thanks but no thanks... I think I'll stay with Bitwarden.
@@clb92 me too, Bitwarden with yubi key
Bitwarden has 2FA and can be self hosted. That is the standard all competitors must meet to even be considered.
I’m confused, do you mean you want to store your 2FA in your password manager? Or enable to 2FA for Passbolt bc that’s included with the self hosted option?
Just self-host Bitwarden. Open source, audited and trusted.
@Hoxton stfu..they probably have a reason for it
Bitwarden > assbolt
@Hoxton lmao true
Vaultwarden for more features
@@VIVEVIEV oof
I’ve had Passbolt running for over a year now. I love it
It's still the digital equivalent of keeping the front door key under a stone. Last pass learned it the hard way. As for using an open source tool for storing your secrets, OS has both the pro and con that everyone can see the source code. If someone finds a bug there's no financial encentive to fix it if the finder has nefarious plans.
Not tryna be mean but comes off to me as shill-y "I need to store my passwords somewhere. I will immediately use Amazon and Google to do this" Though, I am also enjoying watching your videos now that I just discovered them, so props! It is good to teach people about gpg keys and stuff. But there are other hosting and domain options, lol
To me looks like amazon sponsored passbolt into sponsoring this video
Looks great but honestly I would not use a password manager that didn't at least support TOTP 2FA just for my own peace of mind. Bitwarden's free plan has TOTP 2FA and also allows self-hosting and free access to their cloud hosted instance. Passbolt looks great but it's not for me until it supports TOTP 2FA for the community edition.
THIS.
You can also self-host vaultwarden (a Rust implementation), which comes with all premium features unlocked.
Looks like a great tool only if it supported at least some kind of MFA. For now I will stick with Bitwarden and Keepass.
Even if you host it via the „on-premise version“ it doesnt really justify as on-premise as aws can literally do whatever they want to your instance. That includes modifying the passbolt installation to dump your username + password to some logfile ;-) personally i wouldnt trust any hoster with such data.
$0.046/hr is like $30 a month? Too expensive for password manager imo
don't they have a free tier
@@biackshibe They have a theoretically-free tier that for me never really ended up being actually free.
@@paulstelian97 the software itself is free.. the $0.046 is for using the resources on AWS - EC2 instance, etc
@@swapnildinkar I meant the free AWS tier itself (not the one picked by this). It says free but I tend to pay and quite a bit actually.
Run it on digital ocean for $4/month.
would've been nice if you followed some best practice and put the instance in a private sub and do the same setup, that would've been great, i doubt anyone would let their passsword manager app just that open.
Sounds really inefficient to use an EC2 instance for such things. Not just are EC2 instances expensive compared to other VPCs, the instance will also probably idle 99% of the time. On the other hand you could just sync your KeepassXC file with S3, Nextcloud, Google Drive, ... For big companies with a lot of users this is maybe useful. But I would not recommend it for personal use. But still there a lambda version would be nice, so you safe costs and do something good for the environment (less electricity, less hardware, ...). And let's not forget to implement a backup system. Keepass synced to the cloud is there already more secure, as copies are local and on the cloud.
mehhh..I mean Bitwarden is the standard right? So not seeing a compelling reason to switch plus theres a lack of 2FA which is weird.
i use bitwarden its opensource too
I'm a grumpy old BSD guy who believes "worse is better".
Which is why I'll stick with trusty ole pass.
I use keepass for personal use, but this looks great for corporate environments
Your tone of voice and demeanor make this hard stuff seem simple......but WHY would someone want to go through ALL this just to configure this?
Nice!
I think most people in here are missing the use-case for this. Great functionalities in passbolt honestly. You can admin the access control to passwords for a team eg IT, sales, production etc very easily. This is for businesses. What's wrong with having to pay for that.. I for one thank you John, as this is exactly what the startup I just started working in needed.
Yeah it's great until AWS servers have an oops, and then hashes get leaked. That and MFA is paywalled (i mean come on, this is like an EA game, get a half-assed product and get the rest as paid DLC). imo KeePassXC is the way to go. It's free, completely local, you're in control of everything, and if you need syncing, you can use syncthing, or just copy the database file over to your other device. And if you're *really* paranoid, you can always use a keyfile or hardware key to encrypt your database.
Nice video . Thank you
why not use a normal password manager like last pass on so?
and whats the best free password manager?
Thanks!
There's no 1 "best" password manager, or "best" anything most of the time. It largely depends on your own preferences and requirements.
1. Do you trust the company who made the password manager?
2. Do you trust whoever is hosting the server?
3. Do you want it to be accessible from anywhere in the world or just from inside your intranet?
4. How many sets of credentials do you need to store?
5. How many people do you need to share some of those credentials with?
6. Do you want a CLI client for automation or just because you love the terminal, or do you just want a plugin/extension that works on your favorite browser?
7. If you're *really* into tech & security, what specific features and configurations do you want on your self-hosted server?
8. How many milliseconds do you want to shave off of each login?
9. [Insert some other seemingly-obscure preferences a bare-bone Linux user might think of]
I use Arch Linux but I wouldn't recommend it as "the best OS" to someone asking for a beginner Linux distro. I like Python and Rust but can't recommend them without knowing what someone wants to develop.
John's sponsored so he's showcasing it, but for all we know he could have just cancelled his subscriptions after making the video (I'm not saying he did, just that he can). You can use Lastpass if it seems useful. I used it for years until I had some issues with it and switched to Bitwarden because I liked some of the things they offer for free (e.g. not having to pay for MFA).
@@i_sometimes_leave_comments Thanks man,
appreciate it!
This defeats the purpose of you watching this whole video. It's most secure since your hosting it yourself. As long as you don't get hacked ( which quite honestly is very slim unless you frequent on sketchy side of the net ) you are not relying on a 3rd party to handle your credentials. Now you obviously are compromising "easiness" over "security", but you are more than welcome to go the easy route and have a higher risk of it getting leaked. LastPass get's hacked twice a year lol
Enpass is better if you need one Vault per user
PassBolt is nice if multiple users need access for one vault, but with different premissions
enpass is paid, closed source and has been buggy on linux for years :P
I only use it cuz i've a lifetime licence from back when it was 5 bucks
Is it possible to protect files like PDF /Excel using passbolt ?
Thant s a good idea. I seriously need to write down each password instead of remembering them
I don’t see why they use an external provider for SSL when certificate manager would have just been another line in their cloudformation script. On top of that, same for cloudfront…
What does it cost to run on aws per month on average?
lol all good until you have to grab your phone in order to enter 2FA, it should be included on the CE. Anyways ill stick with Vaultwarden.
So, it's open source, but all the good functions which would be better than other services are paid? Even freaking folders and MFA? So keepass if you using it for your own or bitwarden for multiple user is still the better option for hosting tbh (and even has a open-source community rust server implementation). And it's 360€ for a year? That's insane... Not an alternative.
We used passbolt but migrated to passwork because it just had more of the stuff we need.
Did I see you just log into AWS as root! Tut tut :) I use GNU Pass for my personal password manager.
have been using self hosted KeePass database on Google drive for the past 10 years. have avoided all the "safe" online password sites and their oopsie-daisies data exposures.
I'm good with my solution (which has 2FA built in for those that are going to bring up it's only password)
How many ch does this cost on aws?
vaultwarden
Passbolt vs Bitwarden(vaultwarden) ?
The thumbnail wants to kill me
This is so freakin scary. I am always worried my pass word file database and app is making connections to the internet.
I kinda wonder why a hacker would recommend your passwords to be stored in a cloud service? that would really be the last resort where i would put my passwords to be honest. Bitwarden has 2fa out of the box. also opensource and can also locally be installed that all and for zero costs
.
Nice, but it's not your own infrastructure, it's still cloud.
How much does it cost using Amazon?
Apps are Free, but the Instance is 30$/month
$0.046/h = $1.104/day = +30$/month
@MrNolimitech seems too much for just hosting a password manager. Is there a way to get it cheaper?
why not bitwarden?
Passbolt sucked so much when I had to use it. Never again. "stay logged in" never worked and I got logged out after 5 minutes and it got no app during the time. Bitwarden is so much better in my opinion.
Is BitWarden still a great password manager?
I would say the best
It's the only one I know of that has been independently audited multiple times and never had any data leaks
I like it. You can host your own Vaultwarden server too, if you'd like.
plot twist: it really found elon musk's car location
I'm glad I wasn't the only one that noticed Elon was mentioned in the setup screen
thats kinda scary how casually you overwrote your existing primary ssh key
He is in a virtual environment. One he probably created for the video, so, it's fine.
@@Freeak6 ye i get that but didnt even hesitate :p
not from doing that but ive felt the pain of locking myself out of my servers before and its not fun :(
This is rude.. you''re not showing or explaining the pricing it'll take to rent the ec2 instances..
Just make sure to mute your amazon doorbells or you will lose your passwords
Probably just self hosting bitwarden is better. Open source, audited, and good community.
Isn't it the same concept though?
Bitwarden ruls.
Ohama means family, right?
Is this promotional video.
Why are non of these tutorials on actual in-home clients there all I ya here my rdns like show us a real world scenario where we have a ubuntu computer kicking around and we want to to run on it and be accessable.
The master password is legit
Im not sure how anyone could recommend this when they paywall MFA, SSO and auditing. What a complete joke.
Nah, Bitwarden for me.
13:04 locating Elon Musk's car 😅
Very cool. I still prefer LastPass simply because it has my 500+ passwords and is sync’d on all my devices.
They have been compromised a few times though, so that’s one con. I’ve been considering bitwarden, but I’m pretty happy with LP.
You can export passwords as a csv and import it to another password manager.
even with all the breaches they have?
Make a video on evilginx2
I use my mind, fuck passwords services
I was never a fan of password managers..
Looks great but Costs 34 dollars a month. So be carefull
i store on blockchain
thank you for letting me know, ill be trying to hack your aws now xd
@Hoxtonyeah that was a joke but I have a reset password poisoning exploit for aws so I could probably do that if he doesn't have 2fa🙃
@@SolitaryElite from what I've seen the comments the 2FA is in the paid service not the free service
Aferin
Bitwarden all day.
is he leanring us how to hack?
@Hoxton i mean any video
John Shere your csv file for educational purpose
any pros over using vaultwarden🤔
Any 1Password Fans?
👇🏼Like
this guy is all about money, once asked help because I was robed , nor even responded and I contacted him by email, after I unsubscribed him and lost track , today I see this video, and for this because they sponsored him he makes an huge promotional video...I dont trust the good faith of this guy...just saying...maybe he is a good guy, not to me but who cares right!!!
Call the Police idiot, he doesnt make that type of services, its ridiculous.
i’m gonna assume briefly that this comment is legit, most people aren’t gonna help some stranger on the internet get money after being robbed. not easy to even confirm it to begin with, much less figure out how much you should get. you’re not entitled to getting money after being robbed.
for the video being sponsored we don’t know much about the contract and that’s common, but we can likely infer that the contract said something about making a video about setting it up. when there’s money changing hands, you need to learn to take what’s being said with a grain of salt, and even then the FTC prevents sponsored videos from being forced to say something they don’t believe. this goes for every creator online, not just john
@@josemicod2 well I did, its not the point, I asked help for understanding how was it done, so if he is so eager to make videos about security if you are here just to promote and get money out of youtube and not even do human things I call him out on that!! simple, but in a normal maner without calling names like you did, fan boy...maybe the idiot is other...maybe you have it so often in your mouth maybe
@@majoryoshi well I understand what you say, the point is I was reaching him not to get the money back for that I made contact with the police, of course he has no power to go after, but because I was in shock and I wanted to know/understand how was it done, it was from a BINANCE app someone hacker entered my pc and entered the security of BINANCE APP like butter avoiding second A2F security...etc...so you are assuming to much I believe
@@Hdio99 nobody work for free, only scammers
First
No one asked
Literally nobody cares
I store all my passwords in my keepassxc offline i trust no one.
"open source", why is 2FA behind paywall? trash
KeepassXC for me