There is even a self-hostable fork of Bitwarden called Vaultwarden, which is even more secure than using the cloud and offers all paid features for free.
I just starting school for Network Engineering Technology and it's amazing how much of this was literally word for word some of the stuff I heard on my first day.
I agree with you for the most part - except using a browser tool for password management. It locks you into that one browser, and all browsers occasionally roll out changes that break things, forcing you to switch to another browser, etc. I use a dedicated PW manager that is a stand-alone app on my phone, plus a browser extension that works in chromium-based browsers and Safari, so I can always get to my passwords. Otherwise, you’re right on as usual - in today’s world a PM is 100% required.
This cannot be understated. It is common enough to find websites with bugs for specific web browsers, which means you always want to have the option of using a different web browser. Always use password managers which work with multiple web browsers.
I knew all of this already but this is GREAT to pass along to family who are not computer people. I've shared this with my sisters and nephews already. Thanks Dave. It was always a difficult conversation, telling my loved ones that their passwords sucked royal taint. This makes it easy.
My personal method is to use two or three words, each separated by a special character, then follow that with another special character and 4 digits. It works great, except on braindead sites which limit a password to 16 characters (such as my doctor's web portal -- forced insecurity is bad enough, but it's especially egregious when it "protects" medical or financial information).
I have a book full of usernames and passwords. I locked them up at night in my safe. Then a capacitor blew in the X-01 lock. Since its tamper-resistant, they couldn't drill the lock, it had to go down to the machine shop to be cut out. The safe was made of 1/4" armor steel, and it took the guys 4 hours to cut open enough of the side with a cutting wheel to be able to trip the lock and recover the book. Good times.
If you want to enhance your google password security, accept the google suggestion but add your own universal pin and insert , say 4 characters in, but don't ever save this. This means if someone gets into your device they still can't get into your accounts, because they don't know the pin or where to insert it
This is genius! Took me a second to understand what you were saying so let me break it down for people like me that need an example. If you are on CNN's website and google suggests the password 1!G757bnb then save that to google but on CNN you would save that password and add your secret pin number somewhere to it like 4829. So the CNN password would be 1!G757bnb4829 but only 1!G757bnb would be saved on google.
Before password managers were common: I once had all of my (very strong) passwords in one pgp document. I had an extra strong password for that file - so strong that I forgot it one day. I lost all of my passwords.
So, you could write it down and store somewhere in your house as a backup. That's why you get the option to print out a bitlocker key when activating bitlocker.
Last year I took the time to make sure all my accounts were in my password manager and refreshed all the passwords to make sure they were unique as well as set expiration dates as a reminder to change them. It was unbelievable how many accounts I have and how much time it takes to rotate passwords! Effectively impossible without a password manager!
@@TonyWhitley The worst is when the field just silently truncates what you've entered and accepts it. Then you're logging in on day, accidentally bump enter before you're done typing, and watch your account come up anyway.
Usually this is a sign of poor password management under the hood. A good hashing algorithm doesn't care how long your password is, but an unhashed database column does...
Two factor was a game changer. Not perfect, but *substantially* better. Limit logins to 3 or 10 attempts per day. That takes care of most of the brute force attempts.
I never thought about it, but that was my lunchtime interview question at Microsoft in 93. How do you solve the "too many attempts" problem. I don't know if there's a better way, but I managed to come up with progressive backoff, ie: slowly increase the delay until it becomes unwieldly for each attempt!
I think my microsoft account has hundreds of attempts every day. Just yesterday it was 24 times from 13 different countries. It has 2fa on it, and I update it regularly. But how are they allowed to attempt it that many times from all over the world within a few minutes.
I had to disable that. I was at a tire shop and tried to get to my mail. I couldn't. When I looked at the Linux box I found around 50000 attempts in a day. They were all from different IP addresses because I wanted to block that host. It was just for my account. After a week or so it dropped off to around 2000 attempts/day. It has been years though they still try to get in and it's still distributed.
@@DavesGarage I wish (I think it's) winlogon.exe took that approach, instead of demanding a PIN or password after 3 failed fingerprint reader attempts. Or at least make it configuable how many bad attempts are needed to refuse and demand a PIN.
Break-in evasion is another solution, after n attempts block all logins on the account for x minutes if more attempts then extend the period. During the evasion period even the correct password is refused. It completely stops brute force If you don't know when tge system enters the evasion period as you can enter the right password and be refused !!!
Great info. Thanks. I'm watching the reflection of light in your eyes and it sure looks like you are not reading a teleprompter. I admire your ability to do that. I'm a RUclips creator and I can't make it without a script.
Another thing to mention is some site insist on having you "register" with them in order to just access the site even if there is no purchase function (shop, subscriptions, and the like) - mainly sites that offers free content or streaming. For these site I use low level security (weak passwords) versus a site that requires financial information or other sensitive information which requires high security (password manager generated credentials). Too many sites wants an "account" to access content that would otherwise be readily available - the typical offenders are the ones with "Signup with Google", "Signup with Facebook", or other service providers; I always sign up through the email option and give them my "contaminated" email address - one that been sold to every list possible and I don't use for general services or communications - basically making the address worthless to advertisers.
Fun one from my bank... I got a new card and was assigned a random pin. Only problem was that when I looked at the pin I realized that it was the house number of my then fiancé, now wife, and would be my house number once we were married. I quickly changed that pin to a different one that is "more random" rather than leaving that avenue of attack available.
one idea I heard for those who don't trust the password manager is to have a "salt" that is not in the manager. You get the pass from the manager and then type in a few more chars. But that is certainly more inconvenient than just using the password manager with autofill
Issue with Google is if they decide they don't like what you've had stored on your Google drive or photos one day, they can lock you out of your account and thus, your password manager. Such as they did in the New York times case "A Dad Took Photos of His Naked Toddler for the Doctor. Google Flagged Him as a Criminal."
There in lies the problem with automatic algorithms. I once took a picture of a pumpkin/jack-o-lantern with a crack in it - imitating The crack in Amy's wall, from Dr. Who. When I uploaded it to a web site for a customized picture on a credit card, I used the title 'Amy's Crack' -- That got flagged. I had to rename the file. Also likely in the New York Times case, I'm guessing the dad's photos were automatically uploaded to Google for storage. - I haven't seen that article yet.
@@jonasgreen8260 The tldr is that the father took the photo for Telehealth. Google alerted authorities and they showed up at the house. After an investigation they determined no crime was committed, Google still locked dude out of his account indefinitely. He ran his business from that account and lost tons of data. Short story shorter, Google suck.
That's why you shouldn't store anything in the cloud, nor let some company have any controlling power over it, and in any which way! The latter cannot be guaranteed but the former isn't hard to practice at all. I don't use online apps to make stuff, nor store anything with anyone other than my website with my host, and there's nothing there that isn't also stored here in my home/business.
That's why I didn't do a sponsor, I knew that because I'm advocating for password managers that people would think I was oozing sincerity for the highest bidder! At least this way you know I mean it :-P
It sounds like it because the whole first example is wrong and severely exaggerstes with fallacious implication that the exact number of letters and numbers is known, which it isn't Dave wants it to be scary, but in doing so, he forgets to tell the truth. The truth is that "Banana1492" is a lot safer than is stated in the video.
@@DavesGarageYou are not sincere. The first password example would take over 180 seconds to crack, not 1 second. You know this and you know why that is, but are being insincere.
Sarah Palin's Yahoo account got hacked because the kid was able to look up what high school she went to. Celebrities should lie about those questions. What high school did you go to? Baked potato. Then you have to use the password manager to remember what your lies were.
Your suggestion is a bit confusing at first glance. You should add that you're talking about lying to *security questions* that web sites ask you. Not that people should try lying to the public about where they went to high school! Lying to the public is a lie where the correct answer could be found out. I also have answered those security questions with absolutely absurd responses, and then used my password manager to keep track of which bogus answer I gave to each web site. I think that's excellent advice!
@@garanceadrosehn9691 back when I was young, I answered one of these questions about my favourite band (genuinely). Years have passed, my music taste transformed and now I don't remember who the hell was my favourite back then... Never only had one anyways.
@@garanceadrosehn9691 The public has absolutely no right to your history. If they work hard enough at it, they can find out, but it should take actual legwork. Why make it easy for the data aggregators?
Great video Dave. I'm going to use this as a template for some custom security training at my day job. Appreciate you sharing this knowledge for the sake of sharing knowledge. Not many people do that these days. You're a big inspiration to me and my wife (who loved your book Secrets of the Autistic Millionaire) and I always love seeing your videos get posted.
Google don't know your password? Possibly. But they completely control your device and then that could change in the blink of an eye. "A little paranoia can go a long way to keeping you safe?" Bollox a lot of paranoia can go a long way to keeping you safe!
The problem I had with Apple's password manager happened after my 1.5 year old Macbook Pro died, (based on a RUclips video I think the voltage regulator for the SSD failed, nuking it), and after replacing the logic board, (I hadn't purchased extended warranty because in 20+ years of daily use of Dell laptops I'd never had a laptop fail within 3 years), when I came to restore the Time Machine backup, I screwed up entering a password, (either iCloud or original laptop), I don't know what I did wrong, but the password manager was locked and along with all my stored passwords.
My password manager is Keepass and it is entirely offline backed up in lots of portable drives, USB drives and several hard discs on different computers. I used diceware to compile a multi-word passphrase to secure the PW Manager DB.
I try to keep things simple and no more complicated than necessary. _“The more they overthink the plumbing, the easier it is to stop up the drain.”_ -Montgomery Scott
Company I worked for had a 15 minumum character password. Upper and lower case, numbers, and symbols all required, and no english words or repeating characters embedded in it. I hated my early attempts of making a password based on first letters of a phrase, say for example --- "the World is small but I don't have the time 2 paint it!" (an old one) Keyboards since 2010 have been chorded, and that's where I went with it. Slamming down four keys with my hand per keystroke, and eventually adding the shift key, I could enter my password in 5 keystrokes including the shift key modifier. What's special about this, and how does it prevent seeing others watching your keystrokes?! Every keyboard is different - this same mechanism of smashing the keyboard keys at the same time is going to pull up wildly different results depending on your input device! Anyway, rant on passwords and how I do it in 2023/2024. Great channel Dave!
I helped out a disabled friend with a new computer. He used Chrome and lost his list of passwords. After about 8 years, the computer I gave him was very outdated and had hardware problems. Fortunately, I was able to give him another computer. I was setting it up and realized I didn't know his passwords and neither did he. He had saved the passwords in Chrome and I thought maybe I could just copy a file from the old hard drive to the new computer. After a little looking, I realized there was no need to do that. I was able to see all of his logins and associated passwords right from Chrome. Even a couple from his friends who used his computer. I just typed them back in on the new computer. 😊
Preach on Dave! I've been using one for years, the only caution, some websites have a limitation on the number of characters allowed for a password, most will specify a limit, others don't indicate a limit, but allow you to enter a PW that is too long and accept it to create an account. When you log back in it will not allow the PW, I guess it is overflowing their log in system. You'll need to use the lost PW routine and use a shorter PW, guessing what length is correct.
I've ran into the same thing. Very frustrating figuring out thats the issue in the first place, then figuring out the max length, reseting your oassword over and over
Usually if the registration form accepts your Y length password and you find you can't log in, changing the login form's input attributes via Dev Tools usually works. Not sure why someone would write a registration form to accept upwards of 50 characters then limit the login form to 8 characters 🤦
I NEVER store my passwords in Chrome or Edge. As a prior security professional that just makes me cringe. It's like putting the key (or combination) to your safe in one of those key hideaways stuck under the safe. Why would you do that?
@@DavesGarage What about third party, standalone, offline password manager apps? Sure, may not be as intuitive to sync across devices but you are not tied to a specific browser / ecosystem. Yes, you may have to copy paste password from app to website but the few seconds that takes can be nothing compared to your master browser password manager getting breached and having all your logins compromised. But I agree, any password manager is mandatory these days. Browser based is better than nothing.
Most of the time I just doesn't care enough. Just checked, Chrome is angry about 150 of 300 of my saved passwords. Some of these sites may still exist, and some of them had data leaks last years, I guess. Somehow pizza-delivery sites want you to register, authenticate and give your credit card to them, but have security issues all over them.
"One reason you should not use web applications to do your computing is that you lose control. It's just as bad as using a proprietary program. Do your own computing on your own computer with your copy of a freedom-respecting program. If you use a proprietary program or somebody else's web server, you're defenceless. You're putty in the hands of whoever developed that software." KeePass XC
True, but when we're talking security at scale, there is a convience factor. The more steps there are, the less people will do it. Which is why I personnaly used KeePass, but recommend a more easy one like BitWarden to my less tech savy friends and familly. Also, the threath model for 99.9% of people doesn't require that high of a level of security, imo.
The problem with chromes password manager is that if someone knows your desktop password, they have access to all your saved passwords. Your network administrator can change your password on the domain, and sign into your workstation as you. And it's not hard to gain admin on a Windows PC anyway. With a boot stick and 3 minutes you can reset any local user password.
I'd imagine hackers usually wouldn't be able to physically get to your computer. I GUESS if your phone got stolen it could be a problem. but a hacker would usually log in from another device.
A very very good feature of most password managers is secure notes. I for example have all my medicines in one. My bank account information in one. Things I need to remember that need to be kept secured I may need are in a secure note.
As an IT-pro, I don't trust Google, and don't use Chrome at home. I don't trust any cloud based password solution either - you're screwed if they ever have an outage. What works for me is a free cross-platform local password manager file (without any browser extensions, don't trust them either) and it's synced across all my Windows/Linux/Android devices via my cloud provider. It's marked as available-offline on all key devices , because my cloud credentials are stored within. I do rely on browser auto-fill for frequent sites, otherwise it's just a quick copy/paste. For passwords I use the built in generator, set to the max allowed length, all randomly generated gibberish and enable 2FA on any site that supports it. I manually generate nonsense security answers, most managers have additional fields to store extra info. I think the only weak point here is that the file although encrypted is on cloud-storage - but I would be interested to know if anyone can point out a flaw in this approach?
I started with a similar approach with KeePass, but eventually moved to Bitwarden out of convenience. It's up to your threath model of course, but for 99.9% of people, the security benefits/convenience tradeof of having a cloud-based encrypted vault is worth it imo. Being able to use plugins to simply right click and fill forms is both convenient and more secure than manually copy/pasting (as it won't autofill if I'm on a phishing website for instance; I can be tricked, but the plugin cannot). And also it's a lot less likely to lose the vault when it's hosted on (presumably) redondant cloud infractructure, compared to my local computer. (ofc you can-and should- always backup things, but like if my house goes in flames, even if I have a local backup, it's screwed). If you are particularly security conscious, I'd say you'd need to get one of the opensource managers and install your own vault on a server. But again, I think the average person neither needs to nor has the know-how to handle this.
@@dominic.h.3363 That would be the case, although I don't think that's ever happened.
2 месяца назад
Local Bitwarden sync server. I can reach it anywhere in the world from my own devices thanks to WireGuard "transparent VPN" back home. There's also a way to run a deprecated-but-still-working FIDO2 server for Yubikey.
I do the same. I use PasswordSafe (free and open source on PC, cheap iOS app) and keep the locally-encrypted file in iCloud storage. I use Firefox and never Chrome/Edge.
This is why it bugs me when sites have stupid limitations on length. Let me use pass phrases that are much easier to remember but much harder to crack.
@@jonasgreen8260 - Yeah, you'll have some sites be really specific like between 9 and 13 characters, I'm talking a passphrase like "YoureGonnaNeedaBiggerBoat" or something.
Mine aren't. I've been using a password manager for a few years and not repeating codes. However convincing my family members this matters feels pointless because they don't care. EDIT TO ADD: They look at me as some kind of kook, even though at least one has had a card frozen due to a skimmer. I'm not paranoid or a kook, I'm technology aware dammit, but they won't listen to me. I have no hope for society, too many people rely on and trust that technology will just work and be secure without doing a modicum of basic work to help protect themselves.
@@binsarm9026 Your favorite celebrity obsession has nothing to do with this. America was a kakistocracy long before Trump entered into politics, it’s a sobering reflection on his opposition that he was even considered an option.
@@daa3417 dude, throwing around words that are meaningless (IMO) - if democracy is broken, it doesn't mean "government by the worst" - it just means it's a flawed democracy, the choices given to the 'demos' has been pre-selected... like in HongKong.
Ive always used a minimum of 3 random 4 letter words or more. This adds to a minimum of 12 letter passwords. Since we have over 70 characters [a-z, A-Z, 0-9, special chars] per letter position, this makes the total number of possible permutations = 70^12 =1.3841287201x10^22. A brute force attack using a modern PC, or multiples ther of, would take a long time - greater than the age of the universe (yes I've done the maths). If you use more than 12 letters then this permutation increases exponentially.
Yep, you have to factor in this potential situation, when you hand over control, you hand over the possibility of that control being taken away from you. Definitely something to think about.
I've always wondered if sites that disallow repetition for "security" actually make things less secure as they are also removing potential patterns from people trying to crack the passwords, too
@@abandonwareguru I am interested! Any time a site forces stipulations, I feel like it gives bad actors more to work with for filtering out possibilities that can't exist.
Great idea IF you trust big tech companies and the government that promises they won't just 'acquire' it from said companies. This topic requires more nuance, the problem is people generally don't care. Shrug shoulders emoji.
The friend at the office is my wife. My question is should I trust her? For security reasons, of course. It has nothing to do with her not knowing how much I spend on tools and fancy gadgets. Thanks for the info. I use Google's built in password manager, 2 factor authentication when available, and my 12 to 20 character passwords are random as it gets.
The Chrome password manager on Windows is hilariously insecure and any malware you have on your machine can easily steal all your passwords due to some terrible Windows APIs.
@@DavesGarage I am not a Windows developer myself but there is this open-source tool called HackBrowserData that extracts passwords/cookies and other information from browsers. I believe the main problem and my understanding of this might not be entirely correct, is browsers secure their data on Windows via the DAAPI which unfortunately allows any application running under a user to decrypt the data of any other application running under the same user. Thus any applications can decrypt the files storing the passwords as long as they are running under the same user as the browser. I believe there is work going on at Google to address this but it has not yet been implemented. I am sorry I am not able to write a sample myself.
@@DavesGarage I am not a Windows developer myself but there is an open-source tool that extracts passwords/cookies and other information from browsers. I believe the main problem and my understanding of this might not be entirely correct, is browsers secure their data on Windows via the DAAPI which unfortunately allows any application running under a user to decrypt the data of any other application running under the same user. Thus any applications can decrypt the files storing the passwords as long as they are running under the same user as the browser. I believe there is work going on at Google to address the problem but it has not been implemented yet. Sorry, I don't have the Windows programming experience to write a script myself. And I can't post the name of the tool since it seems it would get the comment removed.
Chrome saved passwords are easy to get to. all you have to do is gain access as an Administrator to the Windows computer (which is ridiculously easy, even on the latest Win11), then just access the local user's account folder and copy the Chrome Local App Data folder to your admin account folder to get to them. i've done this many times for users with Microsoft Accounts who forget (or never really knew) their login info (since MS let's them get away with only ever using a 4-digit code). i just make them a new Local Account, and copy everything from their Microsoft Account folder to it.
That's the risk. Let's say a site gets hacked. Ideally they won't actually STORE the passwords in plaintext, but they'll have the hashes. How hard is to hash your real password to match a hash in the leak?
LastPass literally leaked their entire DB. Making it even worse, early versions of their software only encrypted the data with a single round of encryption, and some meta-data was stored unencrypted, so the hackers that got the DB could see who had crypto-wallet passwords stored in their LastPass vaults and were successfully able to crack some of them resulting in the literal theft of several million dollars.
@@DavesGarage But when sites get hacked, they force everyone to change their passwords. So is this entire video really only applicable to sites that get their password hash databases stolen without their knowledge?
@@acecabezon You're assuming you'll be notified right away. You may not be. Because the company may not know for up to 270+ days (that they were hacked)
The biggest problem with this setup is websites that prevent the user from copy/pasting data from their password manager into the login fields. If you are a developer that thinks this is a good idea PLEASE FOR THE LOVE OF GOD STOP IT!! For me, every one of these sites ends up having a shorter, but still random, password so I don't have to type so much. Less tech savvy people I know would just ditch the password manager on this site and go back to the good old Password1. Side note: If you can explain why this is a good design, I'm all ears.
"Side note: If you can explain why this is a good design, I'm all ears" - I don't condone the practice of restricting the pasting of passwords, but thinking purely from a security perspective, I do understand one possible reason for it. When you copy your password onto the clipboard, it it then accessible by every running program, completely unencrypted. The user can also accidentally paste the password in an unintended place, potentially comprising the password. And, of course, the password remains on the clipboard after it is pasted (and thus no longer required). Having said all of that, I share your frustration with that annoying practice.
So far this year I've gotten about seven letters in the mail from different companies saying my identity has been stolen these people need to do better jobs on their security than I ever had to do
I started writing down my passwords on paper and locking them in a safe. Im making new passwords for almost everything and i dont entirely trust certain apps. I may use it one day, but im too scared to do it. But thank you for reminding me that i have a few accounts that i regularly use that have my passwords compromized.
@@DavesGarageI think decent Web browsers do not allow you to copy content from a password field. A login form is never an expected source to copy a password for use somewhere else. A good password manager will instantly scrub clipboard and internal RAM after the password paste, to reduce the attack window. I think Facebook among some other big sites quite recently got slapped for incorrect use of form fields for passwords, with potential ability to read out data. Just self-formatting a text field to look like a password field is a no-no. Not OK!
What's missing from this is segregation of duties. Regardless of if you use the browser or a dedicated password manager, you should use a second email account dedicated only to services linked to identity... Eg, government services, tax, health services & banks, the critical things where your identity can be compromised and stolen. I use proton pass aliases so even if one service becomes compromised, there's no common link between the critical services or my day to day web activities. Excellent advice regardless of my personal opinion on identity segmentation!
You really want a set of physical authentication devices, need a few spares. Given a well known browser extension had a javascript injection vulnerability, was proved to be just as vulnerable to key loggers (the whole code base, customer database, and password vaults, and server keys, were grabbed after one of its DevOp had his master password snaffled by a logger, and the necessary credentials snaffled from his own vault). Add for recovery purposes that dedicated provider forwards a copy of your master password hash to the admin of any institution / group you belong to, to be held in their cloud vault, AWS buckets, miscreants hard drive, and stashes a copy in your browsers local files, that a recovery url mailed to your account email, on request, can retrieve from a browser you've previously logged in from. Not forgetting, till recently, it only required an 8 character master password, that contained at least one digit, and unless the customer opted to tweak the setting may have only been hashed with a single SHA iteration, which i believe a Thread-ripper, with a last gen Nvidia GPU, was shown to be able to consistently unscramble in under 45 mins. So get a physical authentication device.
Most experts advise people not to use google at all due to trust, privacy & tracking concerns and this video basically encourages viewers to entrust them with everything.
I would also suggest masked email services, which come with many password managers now. This attaches a different account so that a leaked password or account can’t be identified or logged into with the same email. Also, it’s great for detecting a breach or if info is sold to spam or data brokers. It’s almost its own form of MFA/2FA on top of other protections.
NO NO NO, I don't trust Google and neither should you. Google is too focused on profit and doesn't give a fig for you, your security or privacy. A very poor recommendation, Dave.
@binsarm9026 This. Also, the alternative for most users is a slew of terrible passwords at best, or one terrible password for everything at worst. At that point, the "Google has poor security" perspective (true as it may be) doesn't really apply. ANYTHING would be better than what most users have.
I started using a password manager 10 years ago and it was a game changer, but the only people I can convince to do the same are other developers. Hopefully the next generation is better.
When I moved to a different state, my new randomly assigned landline telephone number had the same last four digits as my previous landline telephone number. That 1 in 10,000 chance hit. Always keep the answers to “security questions” in the password vault, and never use real answers for those questions. Real answers are not too difficult to find with a little digging and can be used in subsequent social engineering attacks. However, if the security question is, “What was your high school mascot?”, and my answer is something like, “wax donut comb” no amount of detective work will produce that answer. Downside? It can be a bit embarrassing reading those out loud over the phone to an account specialist.
If you want to enhance your google password security, accept the google suggestion but add your own universal pin and insert , say 4 characters in, but don't ever save this. This means if someone gets into your device they still can't get into your accounts, because they don't know the pin or where to insert it
What we need is an open source, cross-platform password manager which allows you to store your password database where YOU want, not where the developer wants. That way, you can control access to your password list, enhancing security. You could keep it, for example, in a cloud if you wish (Google Drive, iCloud, Amazon, Microsoft, etc), on your own website, in your Dropbox account, or just on your local device.
Do you mean keepass (keepass[.]info) ? It's not as handy across devices (if I'm not on my primary box, no loggie-in / access) but it's pretty secure and a different password for every account*. I've used KeePass for 20+ years with a USB copy in the safe in case I die. For context, I've been in cybersecurity for ~35 years. *when LinkedIn got hacked, I knew it was real 'cuz my unique-to-LinkedIn hashed pwd was in the dump.
I use long passwords with no words and mixed upper, lowercase, numbers and punctuation, just like suggested for maximum security. I don't use password managers or write them down. How do I memorize them? By memorizing a system for them, of course if I explained my system it would be a security vulnerability, but suffice it to say any one single password appears fully random, and you would need to know quite a few of them to decipher the system. A human who obtained multiple of my passwords would likely see the pattern, but that doesn't help any brute force machine attempting to get them.
I used to do this successfully but it’s not comparable to generated passwords and usernames, I tend to make them as long as the site will allow. There’s no way I’m memorizing a modern 60 character password, and I’m incredulous towards anyone who says they’re currently doing it. Also in any case you aren’t doing TOTP 2FA in your head but any proper password manager will support it, combine that with the option to add biometrics on top and that gets you near the 99th percentile of online security practices. Also autofill is really nice, many a time I’ve had to play the maddening long captcha game because I remembered and/or typed one character wrong a few times in a row with one of my 30+ character passwords. I also sometimes forget which email I used for said site as I use multiple to keep the garbage and spam out of my important accounts. It’s worth mentioning that some of the managers support saving cards, IDs, even notes. I keep a backup of my important phone numbers and I can’t overstate how nice it is to be able to autofill all those privacy cards (the free ones are vendor locked once you set them up) I use for nearly every site.
@@hedlund It just allows you to skip the dictionary search part, its not going to let you skip more than a minor portion of the work. Your statement is akin to saying "oh you told me you followed best practices, guess I can skip testing for worst practices." Which is true but hardly helpful.
@@daa3417 I don't trust password managers or corporations to actually implement the security they say they use, or to do it correctly. A secret is only a secret before you tell it to a single other person, then you lost control of it. Password managers are generally closed source programs which you have to take on faith that they do what they claim to do. Sure they say they use end to end encryption, but do they? They say things are hashed with no copies of the keys, but is that true? Etc, etc. The only person I trust with information I consider secret and vital is myself, even if I could theoretically get "better" security in some aspects if I trusted someone else to the degree I trust myself, but I don't trust anyone else to that degree so its a nonstarter.
@@DavesGarage LOL, good point. But they are at the bottom of my list. I guess the list would be more along the lines of which ones we have the least distrust of currently. Which for me would be Proton and Signal.
I won't use Chrome at all if I can help it. It's slow bloatware compared to some other browsers. Same with Edge. The worst thing about both those browsers is that they're owned and controlled by Google(or MS), which shares a user ID with RUclips and probably other sites. I see no reason that a RUclips account for viewing only should be able to compromise all of the Google universe(for me), and even worse - be associated with a password manager, so I'll use a different browser with yet another "independent" password manager, though one with a good reputation and something to lose. It's the same reason that I won't use a Google account to log into a random other site demanding an account. There's far too much data correlation on the net already!
But what happens when google, who decided to stop "not being evil" in 2015, decides I shoudnt have access to my google account anymore because I support the wrong political party?
You lose everything so host it yourself. It doesn’t even have to be political these days. Recall the time Amazon pulled the plug on a guy because a delivery driver claimed he used a slur against him over his ring doorbell. It turned out to be a lie and he was eventually able to prove it with the recording but for a time he was locked out. He was literally locked out as well because the poor fool had all his smart home stuff through Amazon/alexa. At least in that case he was able to speak with someone from Amazon, you will NEVER be able to speak with someone at Google.
As a programmer, I use an algoritm to generate passwords that are fairly complex and unique for everything I use. I only have to remember 2 things by heart : - the first (fixed) part being used in all my password - the algorithm to generate the second (variable) part of each password, based on the URL of the website or service.
A good question. It happened once in the past 10 years. In that case I had the change the first (fixed) part of all passwords. It took me a few hours but my system is still working. A small price to pay for not having to write down any passwords.
Or die. My sister's partner (a former senior IT manager) died and left her without access to their joint bank account and several other accounts (he'd managed everything). I use KeePass 2 and save its database to a USB stick (when I remember) stored in a place known to my dependents.
Unless there is a defect, they will store your stuff encrypted with a key that always stays on your side, produced via your passphrase. So if they get hacked, they don’t have your key, and see gibberish instead of your password. That’s the zero-knowledge approach he says soon after 11:00.
BINGO! The password-management company is a treasure chest of info, and that is where hackers will be spending most of their time trying to break-in. And when they do (yes, it will happen), all hell will break loose.
Great video Dave, I believe like yourself, I am slighty autistic, I have a particular ability to remember numbers, and scientific constants. I keep my password database in my head. I can remember 25 yrs ago as a Windows sysadmin, running L0phtcrack on our companies NT4 domain, to do a password quality audit. We then made changes to our domain controllers, to enforce strong passwords. A few years later, we provided remote access for some workers, and I implemented RSA secure ID, on our network, to allow 2FA.
2FA may help short term, but all somebody needs to do is steal your phone, then use the "forgot password" feature to reset it. 2FA won't stop that. ESPECIALLY since phones never ask for a password to open and access your email or texts messaging app (at least, the standard built-in ones don't).
3:45 *suddenly realizes that I have like 30 different passwords for various sites, all at least 24 characters long with totally randomly generated characters that I remember and type regularly* Hmm.. I guess I'm a lot closer to Rain Man. Not sure if that's good or not. Probably not a great sign.
i don't think remembering weird codes is too hard, it's just annoying. but you know the saying, 'use it or lose it' so it's too risky when i don't log in after a few months ect
I never use those. An old school notepad sitting in the drawer under pants and socks is the best password manager I ever had. It requires the hacker to break into my house and search for a random notepad. Then he's have to decipher how I wrote them passwords down. I'm sure that's better than putting my passwords into hands of a random company.
Yes that does work, unless you are in tornado alley, or in hurricane area, flood area or earthquake country, or wildfire country, where that drawer can easily be destroyed in a single action. That is however a good backup, and a way to keep the password manager password safe.
No company is unhackable, including password managers. I'll never trust anyone else with my passwords. I don't use the same password on any two sites/services. You just need to come up with a system that nobody would know that results in a unique password for every site. It's not that difficult.
This. I never understood the concept of password managers. All they do is give the threat actor a more valuable target. Why hack this service, obtaining 1 password per user, when I can hack this other service, which stores 10 passwords per user? The latter sounds like a far juicier return on investment.
Any password manager worth their salt encrypts their user's password vaults with the user's master password as a key. Even if breached, they cannot just decrypt the vault. This comment section is filled with misinformation.
I simply have a folder full of files with password hints on my desktop machine. The hints are vague enough and specific enough to my method of choosing passwords that I'm confident they're secure.
A good system like that can work, assuming you're not a high pay off target, cyber criminals will move on to easier targets, like people that are dumb enough to use passwords from the infamous Rockyou list.
To anyone reading that, that is a misguided half truth. The idea is to enable people to manage their passwords in a secure manner, by generating strong, unique passwords that are only retrievable through a vault secured by multi factor authentication. What you want to avoid is reused passwords stored in insecure locations such as a browser profile.
2 месяца назад+1
That's a myopic view. It's a vault. How are you storing multiple long passwords? Paper? Plain text?
If you use that sentence as passphrase to unlock the password manager, then it's easy to remember the passphrase. It is normally very hard to look at a password input field and crack the password. Most softwares have code to block too quick attempts or too many failures in a row. But quite regularly, a site gets hacked, and clear text passwords [if the hacked site was developed by a cave man] or password hashes + email + user account names gets leaked. If a big shopping site gets hacked, then millions of accounts can be leaked from a single hack. If I get access to the leaked account information, I could iterate alternatives until I find some password text matching the password hash. Now I could guess that user maybe have the same email address and password on 200 other random but interesting sites. So I could try to login with email + password. And that is why a user should *never* use the same password on multiple sites. But who can remember 100+ strong passwords? A password manager software can handle thousands of strong passwords. And can even generate new strong passwords. So taking the cost of writing a 20-30 character password is really worth it. Never can one account hack leak a password working for another site. And the password manager is great at fixing strong and random passwords.
Yes, and no. Technically speaking if they got only your vault, then yes they have all of your info. However if they grabbed everyone's vault, you as an individual are among many, and likely would not be 100% compromised quickly. The thing with the vault though is they are each encrypted per individual, so having the vault is only part of it, they also need a password to see it. Going further remembering 100 passwords is also a poor decision, if you get into an accident you might forget many of them. Having a book is OK as long as no one grabs it from you in which case you are in the same situation as your complaint. It is far better to have every password different and humans memory can not be trusted. So a central location is always the best method. But since this is your view, my question is: how to you keep your passwords now? And are they secure?
No. Password managers are significantly more safer for most people. It can protect you from insecure passwords, phishing attacks and simple credential stealers.
I use different passwords for my five most important accounts and always keep them over 25 characters long, using a combination of letters, numbers, and symbols that do not form real-world words or contain identical characters in a row. I also change my passwords every year, and I have never needed a password manager. I have always enjoyed exercising my memory, and I believe that people can memorize much more than they think possible with their memory by putting in some effort and learning some memory techniques. The most secure place to store a password is in your mind, once you can trust it enough. In my opinion, we rely too heavily on digital tools these days.
And one day, you'll wake up after an bad case of the flu and have trouble even spelling your name. Write down the clear text password for a password manager instead, put it in an envelope. Put that into another envelope and store it in a secure place... Where a trusted person has access. And for when (not if) the host of your password manager goes tits-up, periodically store a clear text backup offline, out of plain view in a tamper-evident container.
The downside of using the built in password manager from a browser is that the account holder, and if I remember correctly, resetting the users account still allows one to open the browser and export the entire list of passwords. Where you can, you should configure 2 factor or use SMS text messages, etc as a backup for most if not all of your different logins. The upside - many browsers allow you to set up a different profile and thus save your associated passwords per profile. It does not solve the issue of someone exporting your passwords, but at least your browser extensions should be limited to the browser profile that it was installed in, thus possible to keep some stuff completely segregated. Another downside - I try not to use google to replicate passwords, but that also means that sometimes the only copy of a password is on a particular computer. This might be good in some circumstances, but bad in others.
"...and I am halfway there and even I can't do it." Hilarious!
I lolled
This had me laughing like an idiot in my car
thats when I paused and went to comments 🙃
@@nobodyjustbrad2750 I don't allow idiots in my car! 😁😁😁😁😁
(Rotate screen) 😝
I like Bitwarden.
There is even a self-hostable fork of Bitwarden called Vaultwarden, which is even more secure than using the cloud and offers all paid features for free.
I just starting school for Network Engineering Technology and it's amazing how much of this was literally word for word some of the stuff I heard on my first day.
I agree with you for the most part - except using a browser tool for password management. It locks you into that one browser, and all browsers occasionally roll out changes that break things, forcing you to switch to another browser, etc. I use a dedicated PW manager that is a stand-alone app on my phone, plus a browser extension that works in chromium-based browsers and Safari, so I can always get to my passwords. Otherwise, you’re right on as usual - in today’s world a PM is 100% required.
This cannot be understated. It is common enough to find websites with bugs for specific web browsers, which means you always want to have the option of using a different web browser. Always use password managers which work with multiple web browsers.
This is a logical perspective; what top 1 or2 do people recommend?
@@brianrace212 I use Keeper and have used LastPass before
I knew all of this already but this is GREAT to pass along to family who are not computer people. I've shared this with my sisters and nephews already. Thanks Dave. It was always a difficult conversation, telling my loved ones that their passwords sucked royal taint. This makes it easy.
Finally someone that in plain English explained to me what password managers are actually for. I have used variations of the same Pw for 20 years lol.
Computerphile did a great segment on this a while back. Their summary was combining 3 random words works great.
My personal method is to use two or three words, each separated by a special character, then follow that with another special character and 4 digits. It works great, except on braindead sites which limit a password to 16 characters (such as my doctor's web portal -- forced insecurity is bad enough, but it's especially egregious when it "protects" medical or financial information).
I have a book full of usernames and passwords. I locked them up at night in my safe. Then a capacitor blew in the X-01 lock. Since its tamper-resistant, they couldn't drill the lock, it had to go down to the machine shop to be cut out. The safe was made of 1/4" armor steel, and it took the guys 4 hours to cut open enough of the side with a cutting wheel to be able to trip the lock and recover the book. Good times.
That must be slow distinguishing between say | or ! or I or l or 1, O and 0, [ and { and (, and so on. One little typo and very slow.
If you want to enhance your google password security, accept the google suggestion but add your own universal pin and insert , say 4 characters in, but don't ever save this. This means if someone gets into your device they still can't get into your accounts, because they don't know the pin or where to insert it
This is genius! Took me a second to understand what you were saying so let me break it down for people like me that need an example. If you are on CNN's website and google suggests the password 1!G757bnb then save that to google but on CNN you would save that password and add your secret pin number somewhere to it like 4829. So the CNN password would be 1!G757bnb4829 but only 1!G757bnb would be saved on google.
Before password managers were common:
I once had all of my (very strong) passwords in one pgp document. I had an extra strong password for that file - so strong that I forgot it one day. I lost all of my passwords.
I do this with winrar.
So, you could write it down and store somewhere in your house as a backup. That's why you get the option to print out a bitlocker key when activating bitlocker.
did you try “123456”
@@UmVtCg I do this so I can stay safer _online_ but it adds more vulnerability points to the mix.
I find that on a bad day, I cannot access my passwords from the password-manager for that very reason.
Last year I took the time to make sure all my accounts were in my password manager and refreshed all the passwords to make sure they were unique as well as set expiration dates as a reminder to change them. It was unbelievable how many accounts I have and how much time it takes to rotate passwords! Effectively impossible without a password manager!
I despise the websites that tell me my password is too long when creating a new account.
Even worse are the ones that don't tell you *until* you've entered it.
Or won't let you use special characters.
@@TonyWhitley The worst is when the field just silently truncates what you've entered and accepts it. Then you're logging in on day, accidentally bump enter before you're done typing, and watch your account come up anyway.
@@Archgeek0 The old Solaris pw. That's right, 8 chars max. The hash was easy to crack as well. So easy that used to be one of my tasks.
Usually this is a sign of poor password management under the hood. A good hashing algorithm doesn't care how long your password is, but an unhashed database column does...
Two factor was a game changer. Not perfect, but *substantially* better. Limit logins to 3 or 10 attempts per day. That takes care of most of the brute force attempts.
I never thought about it, but that was my lunchtime interview question at Microsoft in 93. How do you solve the "too many attempts" problem. I don't know if there's a better way, but I managed to come up with progressive backoff, ie: slowly increase the delay until it becomes unwieldly for each attempt!
I think my microsoft account has hundreds of attempts every day. Just yesterday it was 24 times from 13 different countries. It has 2fa on it, and I update it regularly. But how are they allowed to attempt it that many times from all over the world within a few minutes.
I had to disable that. I was at a tire shop and tried to get to my mail. I couldn't. When I looked at the Linux box I found around 50000 attempts in a day. They were all from different IP addresses because I wanted to block that host. It was just for my account. After a week or so it dropped off to around 2000 attempts/day. It has been years though they still try to get in and it's still distributed.
@@DavesGarage I wish (I think it's) winlogon.exe took that approach, instead of demanding a PIN or password after 3 failed fingerprint reader attempts. Or at least make it configuable how many bad attempts are needed to refuse and demand a PIN.
Break-in evasion is another solution, after n attempts block all logins on the account for x minutes if more attempts then extend the period. During the evasion period even the correct password is refused. It completely stops brute force If you don't know when tge system enters the evasion period as you can enter the right password and be refused !!!
100 percent agree - getting a pw manager had changed my life for the better
Great info. Thanks. I'm watching the reflection of light in your eyes and it sure looks like you are not reading a teleprompter. I admire your ability to do that. I'm a RUclips creator and I can't make it without a script.
Another thing to mention is some site insist on having you "register" with them in order to just access the site even if there is no purchase function (shop, subscriptions, and the like) - mainly sites that offers free content or streaming. For these site I use low level security (weak passwords) versus a site that requires financial information or other sensitive information which requires high security (password manager generated credentials). Too many sites wants an "account" to access content that would otherwise be readily available - the typical offenders are the ones with "Signup with Google", "Signup with Facebook", or other service providers; I always sign up through the email option and give them my "contaminated" email address - one that been sold to every list possible and I don't use for general services or communications - basically making the address worthless to advertisers.
Fun one from my bank... I got a new card and was assigned a random pin. Only problem was that when I looked at the pin I realized that it was the house number of my then fiancé, now wife, and would be my house number once we were married. I quickly changed that pin to a different one that is "more random" rather than leaving that avenue of attack available.
one idea I heard for those who don't trust the password manager is to have a "salt" that is not in the manager. You get the pass from the manager and then type in a few more chars. But that is certainly more inconvenient than just using the password manager with autofill
Security is generally inconvenient! It should be, since it will be even more inconvenient for the bad guys too.
Thanks for sharing password security practices Dave!! Dr. Mike Pound from the UK has a lot of security videos that are great to watch!
Thanks Dave. Take care & stay safe.
Can’t get enough of your shenanigans. Now following on FB too!
HELLO MY FRIEND
Websites should not let people try 1000s or even 100s of different passwords without locking down the account.
Or just locking the originating IP
Do not punish the account for a nefarious idiot on another continent
Yes that is the issue, websites that do not rate limit password attempts for an account, or for multiple attempts from a specific IP range.
Good point. We allow 5 attempts.
"Punish the account"???
Every attempt after 3 failures, add a minute delay
ALWAYS informative and entertaining. Thanks and keep up the good work.
Issue with Google is if they decide they don't like what you've had stored on your Google drive or photos one day, they can lock you out of your account and thus, your password manager. Such as they did in the New York times case "A Dad Took Photos of His Naked Toddler for the Doctor. Google Flagged Him as a Criminal."
There in lies the problem with automatic algorithms. I once took a picture of a pumpkin/jack-o-lantern with a crack in it - imitating The crack in Amy's wall, from Dr. Who. When I uploaded it to a web site for a customized picture on a credit card, I used the title 'Amy's Crack' -- That got flagged. I had to rename the file.
Also likely in the New York Times case, I'm guessing the dad's photos were automatically uploaded to Google for storage. - I haven't seen that article yet.
@@jonasgreen8260 The tldr is that the father took the photo for Telehealth. Google alerted authorities and they showed up at the house. After an investigation they determined no crime was committed, Google still locked dude out of his account indefinitely. He ran his business from that account and lost tons of data. Short story shorter, Google suck.
Never upload unecrypted files to a cloud provider. Remember the cloud is just someone else's computer.
huh? you keep your password manager locally , nit just in the cloud
That's why you shouldn't store anything in the cloud, nor let some company have any controlling power over it, and in any which way! The latter cannot be guaranteed but the former isn't hard to practice at all. I don't use online apps to make stuff, nor store anything with anyone other than my website with my host, and there's nothing there that isn't also stored here in my home/business.
I love how this entire video sounds like some kind of advertisement/sponsorship of some password manager. Yet there's no ad.
That's why I didn't do a sponsor, I knew that because I'm advocating for password managers that people would think I was oozing sincerity for the highest bidder! At least this way you know I mean it :-P
G'day Daveave my friend, this 6-year-old Silicon valley native has finally seen the light, I will get a password manager.
@@DavesGarage Props to you Dave! I am glad you’re staying true to being helpful to people.
Thanks!
It sounds like it because the whole first example is wrong and severely exaggerstes with fallacious implication that the exact number of letters and numbers is known, which it isn't
Dave wants it to be scary, but in doing so, he forgets to tell the truth. The truth is that "Banana1492" is a lot safer than is stated in the video.
@@DavesGarageYou are not sincere. The first password example would take over 180 seconds to crack, not 1 second. You know this and you know why that is, but are being insincere.
Sarah Palin's Yahoo account got hacked because the kid was able to look up what high school she went to. Celebrities should lie about those questions. What high school did you go to? Baked potato. Then you have to use the password manager to remember what your lies were.
Your suggestion is a bit confusing at first glance. You should add that you're talking about lying to *security questions* that web sites ask you. Not that people should try lying to the public about where they went to high school! Lying to the public is a lie where the correct answer could be found out.
I also have answered those security questions with absolutely absurd responses, and then used my password manager to keep track of which bogus answer I gave to each web site. I think that's excellent advice!
@@garanceadrosehn9691 back when I was young, I answered one of these questions about my favourite band (genuinely). Years have passed, my music taste transformed and now I don't remember who the hell was my favourite back then... Never only had one anyways.
@@garanceadrosehn9691 The public has absolutely no right to your history. If they work hard enough at it, they can find out, but it should take actual legwork. Why make it easy for the data aggregators?
Great video Dave. I'm going to use this as a template for some custom security training at my day job. Appreciate you sharing this knowledge for the sake of sharing knowledge. Not many people do that these days. You're a big inspiration to me and my wife (who loved your book Secrets of the Autistic Millionaire) and I always love seeing your videos get posted.
Google don't know your password? Possibly. But they completely control your device and then that could change in the blink of an eye.
"A little paranoia can go a long way to keeping you safe?" Bollox a lot of paranoia can go a long way to keeping you safe!
The problem I had with Apple's password manager happened after my 1.5 year old Macbook Pro died, (based on a RUclips video I think the voltage regulator for the SSD failed, nuking it), and after replacing the logic board, (I hadn't purchased extended warranty because in 20+ years of daily use of Dell laptops I'd never had a laptop fail within 3 years), when I came to restore the Time Machine backup, I screwed up entering a password, (either iCloud or original laptop), I don't know what I did wrong, but the password manager was locked and along with all my stored passwords.
My password manager is Keepass and it is entirely offline backed up in lots of portable drives, USB drives and several hard discs on different computers. I used diceware to compile a multi-word passphrase to secure the PW Manager DB.
0:39
I try to keep things simple and no more complicated than necessary.
_“The more they overthink the plumbing, the easier it is to stop up the drain.”_
-Montgomery Scott
Thanks for this video. Definitely needed in this day and age of information that we live in.
Company I worked for had a 15 minumum character password. Upper and lower case, numbers, and symbols all required, and no english words or repeating characters embedded in it.
I hated my early attempts of making a password based on first letters of a phrase, say for example --- "the World is small but I don't have the time 2 paint it!" (an old one)
Keyboards since 2010 have been chorded, and that's where I went with it. Slamming down four keys with my hand per keystroke, and eventually adding the shift key, I could enter my password in 5 keystrokes including the shift key modifier. What's special about this, and how does it prevent seeing others watching your keystrokes?! Every keyboard is different - this same mechanism of smashing the keyboard keys at the same time is going to pull up wildly different results depending on your input device!
Anyway, rant on passwords and how I do it in 2023/2024. Great channel Dave!
I helped out a disabled friend with a new computer. He used Chrome and lost his list of passwords. After about 8 years, the computer I gave him was very outdated and had hardware problems. Fortunately, I was able to give him another computer. I was setting it up and realized I didn't know his passwords and neither did he. He had saved the passwords in Chrome and I thought maybe I could just copy a file from the old hard drive to the new computer. After a little looking, I realized there was no need to do that. I was able to see all of his logins and associated passwords right from Chrome. Even a couple from his friends who used his computer. I just typed them back in on the new computer. 😊
This is quite disturbing!
@Mikexxx531 I thought so too!
Preach on Dave! I've been using one for years, the only caution, some websites have a limitation on the number of characters allowed for a password, most will specify a limit, others don't indicate a limit, but allow you to enter a PW that is too long and accept it to create an account. When you log back in it will not allow the PW, I guess it is overflowing their log in system. You'll need to use the lost PW routine and use a shorter PW, guessing what length is correct.
I've ran into the same thing. Very frustrating figuring out thats the issue in the first place, then figuring out the max length, reseting your oassword over and over
Usually if the registration form accepts your Y length password and you find you can't log in, changing the login form's input attributes via Dev Tools usually works. Not sure why someone would write a registration form to accept upwards of 50 characters then limit the login form to 8 characters 🤦
@@_Steven_S Agree, I'm guessing it's a lack of communication between the page developer and the database administrator/developer.
Dave, how about the Firefox password generator?
learned long ago to make one password per website.
This has kept me sane.
siteApass
siteBpass
I NEVER store my passwords in Chrome or Edge. As a prior security professional that just makes me cringe. It's like putting the key (or combination) to your safe in one of those key hideaways stuck under the safe. Why would you do that?
Because you did not suggest a viable alternative, so it was still the better plan.
@@DavesGarage See my post
@@DavesGarage What about third party, standalone, offline password manager apps? Sure, may not be as intuitive to sync across devices but you are not tied to a specific browser / ecosystem. Yes, you may have to copy paste password from app to website but the few seconds that takes can be nothing compared to your master browser password manager getting breached and having all your logins compromised.
But I agree, any password manager is mandatory these days. Browser based is better than nothing.
Most of the time I just doesn't care enough. Just checked, Chrome is angry about 150 of 300 of my saved passwords.
Some of these sites may still exist, and some of them had data leaks last years, I guess.
Somehow pizza-delivery sites want you to register, authenticate and give your credit card to them, but have security issues all over them.
@@DavesGarage No.
I think somebody done got that 2 step taken care of for me. Lol. Butttt, thank you for the heads up
"One reason you should not use web applications to do your computing is that you lose control. It's just as bad as using a proprietary program. Do your own computing on your own computer with your copy of a freedom-respecting program. If you use a proprietary program or somebody else's web server, you're defenceless. You're putty in the hands of whoever developed that software."
KeePass XC
True, but when we're talking security at scale, there is a convience factor. The more steps there are, the less people will do it.
Which is why I personnaly used KeePass, but recommend a more easy one like BitWarden to my less tech savy friends and familly.
Also, the threath model for 99.9% of people doesn't require that high of a level of security, imo.
Wait until we all give it to AI. Then the fun begins.
I deleted my earlier comment because you answered it later in the video. Now you have me thinking. Good PSA.
The problem with chromes password manager is that if someone knows your desktop password, they have access to all your saved passwords. Your network administrator can change your password on the domain, and sign into your workstation as you. And it's not hard to gain admin on a Windows PC anyway. With a boot stick and 3 minutes you can reset any local user password.
I mean, if you are insane enough to put anything personal on a corp laptop? I don't even log into my personal linkedin on there, let alone google.
@@debrascott8775 but it could be your PC stolen or in repair. It's easy AF to log in to someone's profile and show browser-saved passwords.
I'd imagine hackers usually wouldn't be able to physically get to your computer. I GUESS if your phone got stolen it could be a problem. but a hacker would usually log in from another device.
A very very good feature of most password managers is secure notes. I for example have all my medicines in one. My bank account information in one. Things I need to remember that need to be kept secured I may need are in a secure note.
As an IT-pro, I don't trust Google, and don't use Chrome at home. I don't trust any cloud based password solution either - you're screwed if they ever have an outage.
What works for me is a free cross-platform local password manager file (without any browser extensions, don't trust them either) and it's synced across all my Windows/Linux/Android devices via my cloud provider. It's marked as available-offline on all key devices , because my cloud credentials are stored within. I do rely on browser auto-fill for frequent sites, otherwise it's just a quick copy/paste.
For passwords I use the built in generator, set to the max allowed length, all randomly generated gibberish and enable 2FA on any site that supports it. I manually generate nonsense security answers, most managers have additional fields to store extra info.
I think the only weak point here is that the file although encrypted is on cloud-storage - but I would be interested to know if anyone can point out a flaw in this approach?
... and if you ever have to log in to a device that isn't yours, you have to read your long password off of your phone?
I started with a similar approach with KeePass, but eventually moved to Bitwarden out of convenience. It's up to your threath model of course, but for 99.9% of people, the security benefits/convenience tradeof of having a cloud-based encrypted vault is worth it imo. Being able to use plugins to simply right click and fill forms is both convenient and more secure than manually copy/pasting (as it won't autofill if I'm on a phishing website for instance; I can be tricked, but the plugin cannot). And also it's a lot less likely to lose the vault when it's hosted on (presumably) redondant cloud infractructure, compared to my local computer. (ofc you can-and should- always backup things, but like if my house goes in flames, even if I have a local backup, it's screwed).
If you are particularly security conscious, I'd say you'd need to get one of the opensource managers and install your own vault on a server. But again, I think the average person neither needs to nor has the know-how to handle this.
@@dominic.h.3363 That would be the case, although I don't think that's ever happened.
Local Bitwarden sync server. I can reach it anywhere in the world from my own devices thanks to WireGuard "transparent VPN" back home. There's also a way to run a deprecated-but-still-working FIDO2 server for Yubikey.
I do the same. I use PasswordSafe (free and open source on PC, cheap iOS app) and keep the locally-encrypted file in iCloud storage. I use Firefox and never Chrome/Edge.
Thanks Dave, great stuff. Stuart from Melbourne AU
This is why it bugs me when sites have stupid limitations on length. Let me use pass phrases that are much easier to remember but much harder to crack.
Or the ones that have longer limits during password reset than they accept during login! Too many times 😅
Are they? I never got that. A 'Pass Phrase' is still an ordered set of characters of some length.
@@jonasgreen8260 - Yeah, you'll have some sites be really specific like between 9 and 13 characters, I'm talking a passphrase like "YoureGonnaNeedaBiggerBoat" or something.
@@ChantingInTheDark just translate that sentence into Frisian and you'll be unhackable
I was looking for a good password manager for a quite long time...
This one is a find!
Thanks for thw tip.
Mine aren't. I've been using a password manager for a few years and not repeating codes. However convincing my family members this matters feels pointless because they don't care.
EDIT TO ADD: They look at me as some kind of kook, even though at least one has had a card frozen due to a skimmer. I'm not paranoid or a kook, I'm technology aware dammit, but they won't listen to me. I have no hope for society, too many people rely on and trust that technology will just work and be secure without doing a modicum of basic work to help protect themselves.
"no hope for society" LOL, if Trump being considered as a nation's leader didn't instill that conclusion already you're quite an optimist!
@@binsarm9026 Your favorite celebrity obsession has nothing to do with this. America was a kakistocracy long before Trump entered into politics, it’s a sobering reflection on his opposition that he was even considered an option.
@@daa3417 dude, throwing around words that are meaningless (IMO) - if democracy is broken, it doesn't mean "government by the worst" - it just means it's a flawed democracy, the choices given to the 'demos' has been pre-selected... like in HongKong.
Ive always used a minimum of 3 random 4 letter words or more. This adds to a minimum of 12 letter passwords. Since we have over 70 characters [a-z, A-Z, 0-9, special chars] per letter position, this makes the total number of possible permutations = 70^12 =1.3841287201x10^22. A brute force attack using a modern PC, or multiples ther of, would take a long time - greater than the age of the universe (yes I've done the maths).
If you use more than 12 letters then this permutation increases exponentially.
What if Google decides to close your google account for some perceived violation of its TOS? then you yourself are locked out of your own passwords.
Yep, you have to factor in this potential situation, when you hand over control, you hand over the possibility of that control being taken away from you. Definitely something to think about.
That's why you use a password manager like pwsafe.
More laughs than I've gotten out of any of your other videos - thanks! 🤣
I've always wondered if sites that disallow repetition for "security" actually make things less secure as they are also removing potential patterns from people trying to crack the passwords, too
You may be interested to know that this is a topic of hot debate in the world of data security.
@@abandonwareguru I am interested! Any time a site forces stipulations, I feel like it gives bad actors more to work with for filtering out possibilities that can't exist.
I have multiple google accounts for my different RUclips channels. Can I still use Chrome password manager?
How many zero days has Chrome had this year? 8? at least? Plus they just nuked privacy to hell. Yeah. hard pass on Chrome. NO ONE should be using it.
Thanks Dave
It is nice to know how the password manager in Chrome actually works 😊
Great idea IF you trust big tech companies and the government that promises they won't just 'acquire' it from said companies. This topic requires more nuance, the problem is people generally don't care. Shrug shoulders emoji.
The friend at the office is my wife. My question is should I trust her? For security reasons, of course. It has nothing to do with her not knowing how much I spend on tools and fancy gadgets. Thanks for the info. I use Google's built in password manager, 2 factor authentication when available, and my 12 to 20 character passwords are random as it gets.
The Chrome password manager on Windows is hilariously insecure and any malware you have on your machine can easily steal all your passwords due to some terrible Windows APIs.
I'd believe if you if posted a code sample that could decrypt a Google password given local access.
@@DavesGarage I am not a Windows developer myself but there is this open-source tool called HackBrowserData that extracts passwords/cookies and other information from browsers. I believe the main problem and my understanding of this might not be entirely correct, is browsers secure their data on Windows via the DAAPI which unfortunately allows any application running under a user to decrypt the data of any other application running under the same user. Thus any applications can decrypt the files storing the passwords as long as they are running under the same user as the browser. I believe there is work going on at Google to address this but it has not yet been implemented. I am sorry I am not able to write a sample myself.
@@DavesGarage I am not a Windows developer myself but there is an open-source tool that extracts passwords/cookies and other information from browsers. I believe the main problem and my understanding of this might not be entirely correct, is browsers secure their data on Windows via the DAAPI which unfortunately allows any application running under a user to decrypt the data of any other application running under the same user. Thus any applications can decrypt the files storing the passwords as long as they are running under the same user as the browser. I believe there is work going on at Google to address the problem but it has not been implemented yet. Sorry, I don't have the Windows programming experience to write a script myself. And I can't post the name of the tool since it seems it would get the comment removed.
Chrome saved passwords are easy to get to. all you have to do is gain access as an Administrator to the Windows computer (which is ridiculously easy, even on the latest Win11), then just access the local user's account folder and copy the Chrome Local App Data folder to your admin account folder to get to them.
i've done this many times for users with Microsoft Accounts who forget (or never really knew) their login info (since MS let's them get away with only ever using a 4-digit code). i just make them a new Local Account, and copy everything from their Microsoft Account folder to it.
Websites typically only let you try a few times before locking you out for 2 hours. Unless there's a breach where they get the whole password database
That's the risk. Let's say a site gets hacked. Ideally they won't actually STORE the passwords in plaintext, but they'll have the hashes. How hard is to hash your real password to match a hash in the leak?
LastPass literally leaked their entire DB.
Making it even worse, early versions of their software only encrypted the data with a single round of encryption, and some meta-data was stored unencrypted, so the hackers that got the DB could see who had crypto-wallet passwords stored in their LastPass vaults and were successfully able to crack some of them resulting in the literal theft of several million dollars.
@@DavesGarage But when sites get hacked, they force everyone to change their passwords. So is this entire video really only applicable to sites that get their password hash databases stolen without their knowledge?
@@acecabezonstill a problem if you use same password anywhere else.
@@acecabezon You're assuming you'll be notified right away. You may not be. Because the company may not know for up to 270+ days (that they were hacked)
The biggest problem with this setup is websites that prevent the user from copy/pasting data from their password manager into the login fields. If you are a developer that thinks this is a good idea PLEASE FOR THE LOVE OF GOD STOP IT!! For me, every one of these sites ends up having a shorter, but still random, password so I don't have to type so much. Less tech savvy people I know would just ditch the password manager on this site and go back to the good old Password1. Side note: If you can explain why this is a good design, I'm all ears.
"Side note: If you can explain why this is a good design, I'm all ears" - I don't condone the practice of restricting the pasting of passwords, but thinking purely from a security perspective, I do understand one possible reason for it. When you copy your password onto the clipboard, it it then accessible by every running program, completely unencrypted. The user can also accidentally paste the password in an unintended place, potentially comprising the password. And, of course, the password remains on the clipboard after it is pasted (and thus no longer required). Having said all of that, I share your frustration with that annoying practice.
So far this year I've gotten about seven letters in the mail from different companies saying my identity has been stolen these people need to do better jobs on their security than I ever had to do
Just not lastpass as they get hacked a lot!
The hint is in their own name, it's the Last Pass word manager I would use! LOL
I started writing down my passwords on paper and locking them in a safe. Im making new passwords for almost everything and i dont entirely trust certain apps. I may use it one day, but im too scared to do it. But thank you for reminding me that i have a few accounts that i regularly use that have my passwords compromized.
Not to mention a keylogger can't log your password if you don't have to type it in because your password manager auto fills the field.
oh damn never thought about that!
That's true, I actually never thought of that.
Good point! It could still scrape the text field, perhaps.
@@DavesGarage the ways are just so many, a yubi key is safe right? Besides the hassle?
@@DavesGarageI think decent Web browsers do not allow you to copy content from a password field.
A login form is never an expected source to copy a password for use somewhere else.
A good password manager will instantly scrub clipboard and internal RAM after the password paste, to reduce the attack window.
I think Facebook among some other big sites quite recently got slapped for incorrect use of form fields for passwords, with potential ability to read out data. Just self-formatting a text field to look like a password field is a no-no. Not OK!
What's missing from this is segregation of duties. Regardless of if you use the browser or a dedicated password manager, you should use a second email account dedicated only to services linked to identity... Eg, government services, tax, health services & banks, the critical things where your identity can be compromised and stolen. I use proton pass aliases so even if one service becomes compromised, there's no common link between the critical services or my day to day web activities. Excellent advice regardless of my personal opinion on identity segmentation!
Bitwarden for the win!
Thanks Dave, great information for a half way there guy too.
I would not recommend using built in browser password managers. Use a dedicated service.
You did not explain why though...
browser pm are more vulnerable than 3rd party plugins - more frequently hacked
You really want a set of physical authentication devices, need a few spares. Given a well known browser extension had a javascript injection vulnerability, was proved to be just as vulnerable to key loggers (the whole code base, customer database, and password vaults, and server keys, were grabbed after one of its DevOp had his master password snaffled by a logger, and the necessary credentials snaffled from his own vault). Add for recovery purposes that dedicated provider forwards a copy of your master password hash to the admin of any institution / group you belong to, to be held in their cloud vault, AWS buckets, miscreants hard drive, and stashes a copy in your browsers local files, that a recovery url mailed to your account email, on request, can retrieve from a browser you've previously logged in from. Not forgetting, till recently, it only required an 8 character master password, that contained at least one digit, and unless the customer opted to tweak the setting may have only been hashed with a single SHA iteration, which i believe a Thread-ripper, with a last gen Nvidia GPU, was shown to be able to consistently unscramble in under 45 mins. So get a physical authentication device.
Most experts advise people not to use google at all due to trust, privacy & tracking concerns and this video basically encourages viewers to entrust them with everything.
Experts? Or posts on X?
Using a password manager will change your life. Now, I don't know and don't want to know my passwords to the gazillion sites I use.
I would also suggest masked email services, which come with many password managers now. This attaches a different account so that a leaked password or account can’t be identified or logged into with the same email. Also, it’s great for detecting a breach or if info is sold to spam or data brokers. It’s almost its own form of MFA/2FA on top of other protections.
NO NO NO, I don't trust Google and neither should you. Google is too focused on profit and doesn't give a fig for you, your security or privacy. A very poor recommendation, Dave.
Remember that they changed their slogan AWAY from "Don't be evil".
he doesn't trust them either, but if you want a free option, using something that pretty much a majority of users do would be a sort of insurance
@binsarm9026 This. Also, the alternative for most users is a slew of terrible passwords at best, or one terrible password for everything at worst. At that point, the "Google has poor security" perspective (true as it may be) doesn't really apply. ANYTHING would be better than what most users have.
Just like....every other business? Inclusing stand alone PW manager companies?
I started using a password manager 10 years ago and it was a game changer, but the only people I can convince to do the same are other developers. Hopefully the next generation is better.
Dave, Random question… can I borrow your ATM card?
When I moved to a different state, my new randomly assigned landline telephone number had the same last four digits as my previous landline telephone number. That 1 in 10,000 chance hit.
Always keep the answers to “security questions” in the password vault, and never use real answers for those questions. Real answers are not too difficult to find with a little digging and can be used in subsequent social engineering attacks. However, if the security question is, “What was your high school mascot?”, and my answer is something like, “wax donut comb” no amount of detective work will produce that answer. Downside? It can be a bit embarrassing reading those out loud over the phone to an account specialist.
Why must Security and Privacy be contradictory?
That’s great until the manager gets hacked now you’re fully F
That’s where hardware password managers come in, and encrypted local storage for some password managers
@@omega_172 if it gets hacked on the inside 2FA doesn't matter.
That's why you need 2fa for everything you have and it can't be the same program as the password manager.
ya but if the password manager is any good they're kind of screwed because the vault itself is encrypted with a password only you know.
If you want to enhance your google password security, accept the google suggestion but add your own universal pin and insert , say 4 characters in, but don't ever save this. This means if someone gets into your device they still can't get into your accounts, because they don't know the pin or where to insert it
What we need is an open source, cross-platform password manager which allows you to store your password database where YOU want, not where the developer wants. That way, you can control access to your password list, enhancing security. You could keep it, for example, in a cloud if you wish (Google Drive, iCloud, Amazon, Microsoft, etc), on your own website, in your Dropbox account, or just on your local device.
I think KeePassXC checks those boxes.
I use keypass
Do you mean keepass (keepass[.]info) ?
It's not as handy across devices (if I'm not on my primary box, no loggie-in / access) but it's pretty secure and a different password for every account*. I've used KeePass for 20+ years with a USB copy in the safe in case I die.
For context, I've been in cybersecurity for ~35 years.
*when LinkedIn got hacked, I knew it was real 'cuz my unique-to-LinkedIn hashed pwd was in the dump.
Cryptographic signature (just dont ask Ebay, Paypal or Amazon for tips on your auth flow...), job done.
I use long passwords with no words and mixed upper, lowercase, numbers and punctuation, just like suggested for maximum security.
I don't use password managers or write them down.
How do I memorize them?
By memorizing a system for them, of course if I explained my system it would be a security vulnerability, but suffice it to say any one single password appears fully random, and you would need to know quite a few of them to decipher the system. A human who obtained multiple of my passwords would likely see the pattern, but that doesn't help any brute force machine attempting to get them.
How to use the internet?
Just invent a system for encryption, organisation and memorization... Simple really
"No words" isn't a magic bullet. Knowing you used no words does make it much easier to brute-force it, however.
I used to do this successfully but it’s not comparable to generated passwords and usernames, I tend to make them as long as the site will allow. There’s no way I’m memorizing a modern 60 character password, and I’m incredulous towards anyone who says they’re currently doing it. Also in any case you aren’t doing TOTP 2FA in your head but any proper password manager will support it, combine that with the option to add biometrics on top and that gets you near the 99th percentile of online security practices.
Also autofill is really nice, many a time I’ve had to play the maddening long captcha game because I remembered and/or typed one character wrong a few times in a row with one of my 30+ character passwords. I also sometimes forget which email I used for said site as I use multiple to keep the garbage and spam out of my important accounts. It’s worth mentioning that some of the managers support saving cards, IDs, even notes. I keep a backup of my important phone numbers and I can’t overstate how nice it is to be able to autofill all those privacy cards (the free ones are vendor locked once you set them up) I use for nearly every site.
@@hedlund It just allows you to skip the dictionary search part, its not going to let you skip more than a minor portion of the work.
Your statement is akin to saying "oh you told me you followed best practices, guess I can skip testing for worst practices." Which is true but hardly helpful.
@@daa3417 I don't trust password managers or corporations to actually implement the security they say they use, or to do it correctly.
A secret is only a secret before you tell it to a single other person, then you lost control of it.
Password managers are generally closed source programs which you have to take on faith that they do what they claim to do. Sure they say they use end to end encryption, but do they? They say things are hashed with no copies of the keys, but is that true? Etc, etc.
The only person I trust with information I consider secret and vital is myself, even if I could theoretically get "better" security in some aspects if I trusted someone else to the degree I trust myself, but I don't trust anyone else to that degree so its a nonstarter.
Given that three of the biggest password managers got hacked (as I suspected they were vulnerable to), I'll stick with the inconvenience thanks Dave.
No one should trust Google.
Make a list of companies we SHOULD trust and post it! Let us know!
@@DavesGarage LOL, good point. But they are at the bottom of my list. I guess the list would be more along the lines of which ones we have the least distrust of currently. Which for me would be Proton and Signal.
@@DavesGarage oh, and love your videos. Keep up the good work.
@@DavesGarage Keeper because MAANGs use it for their own employees' passwords.
Me Inc, myself-co, and I-corp.@@DavesGarage
I won't use Chrome at all if I can help it. It's slow bloatware compared to some other browsers. Same with Edge. The worst thing about both those browsers is that they're owned and controlled by Google(or MS), which shares a user ID with RUclips and probably other sites. I see no reason that a RUclips account for viewing only should be able to compromise all of the Google universe(for me), and even worse - be associated with a password manager, so I'll use a different browser with yet another "independent" password manager, though one with a good reputation and something to lose. It's the same reason that I won't use a Google account to log into a random other site demanding an account. There's far too much data correlation on the net already!
But what happens when google, who decided to stop "not being evil" in 2015, decides I shoudnt have access to my google account anymore because I support the wrong political party?
You lose everything so host it yourself. It doesn’t even have to be political these days. Recall the time Amazon pulled the plug on a guy because a delivery driver claimed he used a slur against him over his ring doorbell. It turned out to be a lie and he was eventually able to prove it with the recording but for a time he was locked out. He was literally locked out as well because the poor fool had all his smart home stuff through Amazon/alexa. At least in that case he was able to speak with someone from Amazon, you will NEVER be able to speak with someone at Google.
As a programmer, I use an algoritm to generate passwords that are fairly complex and unique for everything I use.
I only have to remember 2 things by heart :
- the first (fixed) part being used in all my password
- the algorithm to generate the second (variable) part of each password, based on the URL of the website or service.
so what are doing if one of the passwords is compromised?
A good question. It happened once in the past 10 years. In that case I had the change the first (fixed) part of all passwords. It took me a few hours but my system is still working. A small price to pay for not having to write down any passwords.
Just hope you never get old. lol
Or die. My sister's partner (a former senior IT manager) died and left her without access to their joint bank account and several other accounts (he'd managed everything). I use KeePass 2 and save its database to a USB stick (when I remember) stored in a place known to my dependents.
@@dav1dw I'm 61 now...
This is good UNTIL the password manager company gets hacked and everything is leaked
Unless there is a defect, they will store your stuff encrypted with a key that always stays on your side, produced via your passphrase. So if they get hacked, they don’t have your key, and see gibberish instead of your password. That’s the zero-knowledge approach he says soon after 11:00.
Self host or non-online version. Then you are responsible for the access to the database
BINGO! The password-management company is a treasure chest of info, and that is where hackers will be spending most of their time trying to break-in. And when they do (yes, it will happen), all hell will break loose.
Great video Dave, I believe like yourself, I am slighty autistic, I have a particular ability to remember numbers, and scientific constants. I keep my password database in my head. I can remember 25 yrs ago as a Windows sysadmin, running L0phtcrack on our companies NT4 domain, to do a password quality audit. We then made changes to our domain controllers, to enforce strong passwords. A few years later, we provided remote access for some workers, and I implemented RSA secure ID, on our network, to allow 2FA.
Best password manager is my brain
No, actually that's demonstrably the second worst password manager. The worst is writing it on a post it note on your monitor.
@@stargazer7644 Brains can have data rot. Many people here will agree.
2FA may help short term, but all somebody needs to do is steal your phone, then use the "forgot password" feature to reset it. 2FA won't stop that. ESPECIALLY since phones never ask for a password to open and access your email or texts messaging app (at least, the standard built-in ones don't).
3:45 *suddenly realizes that I have like 30 different passwords for various sites, all at least 24 characters long with totally randomly generated characters that I remember and type regularly* Hmm.. I guess I'm a lot closer to Rain Man. Not sure if that's good or not. Probably not a great sign.
i don't think remembering weird codes is too hard, it's just annoying. but you know the saying, 'use it or lose it' so it's too risky when i don't log in after a few months ect
Baloney. I'm throwing the BS flag.
lol , adding the ! at the end isn’t done to fool the hackers, it’s done to stop the password police from rejecting you.
I never use those. An old school notepad sitting in the drawer under pants and socks is the best password manager I ever had. It requires the hacker to break into my house and search for a random notepad. Then he's have to decipher how I wrote them passwords down. I'm sure that's better than putting my passwords into hands of a random company.
Yes that does work, unless you are in tornado alley, or in hurricane area, flood area or earthquake country, or wildfire country, where that drawer can easily be destroyed in a single action. That is however a good backup, and a way to keep the password manager password safe.
This is exactly why I keep my password backups in different locations
Great as you seem to be home bound. Not possible for those of us traveling.
Do you also put your savings into a big sack under the bed ? And is that bed in an underground bomb shelter with your assorted cans of lentils. :D
Password manager prevents you from filling passwords on pages with bad carts or wrong URLs. They help eliminated human error. Your notebook does not
Awesome Dave very Educationsl video mate Best Regards Andew from Downunder
No company is unhackable, including password managers. I'll never trust anyone else with my passwords. I don't use the same password on any two sites/services. You just need to come up with a system that nobody would know that results in a unique password for every site. It's not that difficult.
This. I never understood the concept of password managers. All they do is give the threat actor a more valuable target. Why hack this service, obtaining 1 password per user, when I can hack this other service, which stores 10 passwords per user? The latter sounds like a far juicier return on investment.
Any password manager worth their salt encrypts their user's password vaults with the user's master password as a key. Even if breached, they cannot just decrypt the vault. This comment section is filled with misinformation.
Password managers encrypt the passwords that are sent to the servers. They can only be decrypted with the master password that you know.
@@hayax Lose (or have stolen/hacked/phished) your master password and you lose everything.
Why not just host the password manager locally? Essentially all the same features of a chrome/etc pwman except it's hosted by you instead of them..
I simply have a folder full of files with password hints on my desktop machine. The hints are vague enough and specific enough to my method of choosing passwords that I'm confident they're secure.
A good system like that can work, assuming you're not a high pay off target, cyber criminals will move on to easier targets, like people that are dumb enough to use passwords from the infamous Rockyou list.
A password manager simply converts many points of failure into one - no thanks.
To anyone reading that, that is a misguided half truth. The idea is to enable people to manage their passwords in a secure manner, by generating strong, unique passwords that are only retrievable through a vault secured by multi factor authentication. What you want to avoid is reused passwords stored in insecure locations such as a browser profile.
That's a myopic view. It's a vault. How are you storing multiple long passwords? Paper? Plain text?
If you use that sentence as passphrase to unlock the password manager, then it's easy to remember the passphrase.
It is normally very hard to look at a password input field and crack the password. Most softwares have code to block too quick attempts or too many failures in a row.
But quite regularly, a site gets hacked, and clear text passwords [if the hacked site was developed by a cave man] or password hashes + email + user account names gets leaked.
If a big shopping site gets hacked, then millions of accounts can be leaked from a single hack.
If I get access to the leaked account information, I could iterate alternatives until I find some password text matching the password hash.
Now I could guess that user maybe have the same email address and password on 200 other random but interesting sites. So I could try to login with email + password.
And that is why a user should *never* use the same password on multiple sites.
But who can remember 100+ strong passwords? A password manager software can handle thousands of strong passwords. And can even generate new strong passwords.
So taking the cost of writing a 20-30 character password is really worth it. Never can one account hack leak a password working for another site. And the password manager is great at fixing strong and random passwords.
Yes, and no. Technically speaking if they got only your vault, then yes they have all of your info. However if they grabbed everyone's vault, you as an individual are among many, and likely would not be 100% compromised quickly. The thing with the vault though is they are each encrypted per individual, so having the vault is only part of it, they also need a password to see it. Going further remembering 100 passwords is also a poor decision, if you get into an accident you might forget many of them. Having a book is OK as long as no one grabs it from you in which case you are in the same situation as your complaint. It is far better to have every password different and humans memory can not be trusted. So a central location is always the best method. But since this is your view, my question is: how to you keep your passwords now? And are they secure?
No. Password managers are significantly more safer for most people. It can protect you from insecure passwords, phishing attacks and simple credential stealers.
Pencil and Paper DAVE! Although Autofill is nice.
My Paper Password Manager is Protected by a Lead dispenser and it has never failed me.
Great idea. Put it where nobody will ever think to look. Under the keyboard.
That's where I've found them before.
@@robertthomas5906 You forgot about my Lead dispenser..
@@robertthomas5906 The Lead Dispenser is a Full Protection Plan.
I use different passwords for my five most important accounts and always keep them over 25 characters long, using a combination of letters, numbers, and symbols that do not form real-world words or contain identical characters in a row. I also change my passwords every year, and I have never needed a password manager. I have always enjoyed exercising my memory, and I believe that people can memorize much more than they think possible with their memory by putting in some effort and learning some memory techniques. The most secure place to store a password is in your mind, once you can trust it enough. In my opinion, we rely too heavily on digital tools these days.
You remember 25 different long complex passwords with symbols? Check out my book! ;-)
And one day, you'll wake up after an bad case of the flu and have trouble even spelling your name.
Write down the clear text password for a password manager instead, put it in an envelope. Put that into another envelope and store it in a secure place... Where a trusted person has access.
And for when (not if) the host of your password manager goes tits-up, periodically store a clear text backup offline, out of plain view in a tamper-evident container.
It looks interesting based off the title alone so i definitely will! @@DavesGarage
My CEO had been using a 36 character password string. As a test, he asked IT security to break into his account - It took them 6 minutes.
The downside of using the built in password manager from a browser is that the account holder, and if I remember correctly, resetting the users account still allows one to open the browser and export the entire list of passwords. Where you can, you should configure 2 factor or use SMS text messages, etc as a backup for most if not all of your different logins.
The upside - many browsers allow you to set up a different profile and thus save your associated passwords per profile. It does not solve the issue of someone exporting your passwords, but at least your browser extensions should be limited to the browser profile that it was installed in, thus possible to keep some stuff completely segregated.
Another downside - I try not to use google to replicate passwords, but that also means that sometimes the only copy of a password is on a particular computer. This might be good in some circumstances, but bad in others.