Most Secure Password Management Explained | Go Incognito 3.4

or you can go further and append a full password to the password stored in the password manager. So, if you usually use the password p@$$w0Rd, you can a append or even put it in before the password manager's password. So your password manager would literally only know 1/2 the password. It's more work than simply putting a word, but, if someone was to get a hold of your password manager, it would be a lot more work for them tnan guessing what word you appended to the password. I dont think it would be hard for hackers to use your password manager's files along with appending dictionary words or just trying different combinations.
If you do append a word to the end, it would be wise to use a different word for each website just so that it add a little more difficulty in case a hacker finds out that you used "lemurs" at the end of your passwords.

Glad it’s come back! Keep at it mate

I am sure he has a life offline.

@@techlore What about simply making a random password for sites you don't frequent but require you to either join (usually by way of f@c3b66k or gargl3) or sign up, then in the event you visit the site again, just automatically going through the "forgot password" process, which used to be a daunting task but is fairly seamless now. Is this method of bypassing the password and going straight to authentication code via email a viable strategy and any more or less safe than any other safety measure?

Great job please don’t stop ❤️

Yay thanks for watching!

Welcome aboard!

I had this argument on another thread yesterday. I try to educate people who ask me about the subject. I am sure if I asked most of them how their digital security is progressing. Most of them would have made no real effort. I know because I have asked. Months to even a few years after the fact.
Some people have no idea what 'over criminalization' is.

Right on.

I could not find a public audit for bitwarden. Hence why I have not used it. Do you know of one?

@@jamesedwards3923 they did one one 2018.

@@njpme Do you have the link?

@@jamesedwards3923 cdn.bitwarden.net/misc/Bitwarden%20Security%20Assessment%20Report.pdf

Is it for iOS?

No dumb ass criminal who power ups a device would do that. There are many software programs that call home. If a thief was bound and determined to access data on your device. They would physically disconnect the wifi, bluetooth, and even hardware ethernet connections. This is as easy as looking up the specs on your device.
So now your device can not phone home. Next if they are smart. They will use some secure but lean version of an open source OS. Like Linux, there are others. However, Linux is the most used for private and commercial use. Outside of Microsoft Windows, Unix, and Apple. O yea, Android, which is based off of Linux. Anyway, so they would do that.
So if you are using hardware encrypted drives. Depending on the drive. There are publicly available videos, forms, and docs talking about the weaknesses and how they can be compromised. Basically if you search the brand and make of hardware encryption. There are holes in many of them; some worse than others. Why, because the manufactures were very, very, very sloppy or careless. Basically, they wanted to upsell devices by using the words 'AES' and 'Encryption.'
So your safest bet is to use software encryption for critical files and closing of minimizing holes in your operating system. Damn, so many holes in Windows for example. You can find guides and searches on all of this. Turning off a lot of those 'advanced' features. Which are designed to help you troubleshoot and diagnose problems. Are also avenues for people to compromise your system. Even some that try to make your system work faster and more efficiently are an potential security risk.
Here look at what Veracrypt tells you. As an example:
www.veracrypt.fr/en/Documentation.html
Now look at these articles discussing the issues with windows and privacy:
www.techrepublic.com/article/windows-10-violates-your-privacy-by-default-heres-how-you-can-protect-yourself/
pixelprivacy.com/resources/windows-privacy-settings/
www.computerworld.com/article/3025709/how-to-protect-your-privacy-in-windows-10.html
Now before I continue with my replay in generality. I want you to listen to this video.
Why you should NEVER* encrypt your backups
Aug 29, 2018
ruclips.net/video/X5c4Jarmu0I/видео.html
My Comments: This man is well know and respected in the circles and industry on this topic. I respect him. However I get really heated in the comments section. Why, because the arguments are valid but have holes in logic and common sense.
"Fail safe or fail secure." - As you probably figure out by now. Hardware encryption should be use for low threat models. Or failinig that. Should be combined with software encryption at the bare minimal. My solution to this is simplicity itself. If you do not want to do a software encryption in part or whole of the partition(s) of the drive. Just encrypt the damn files!
He is right saying it would be extremely difficult if not impossible. To restore an encrypted partition if the drive is damaged. Retrieving files is a far easier tasks. Not argument, however what he pretty much ignores is this:
"Just encrypt the fucking files on the non encrypted drive. It is that fucking simple. That way if the drive is damaged. A recovery service should be able to retrieve most if not all of the files - Which they will let you know in advanced!"
Hardware Encryption on External Hard Drives: Useless
Feb 15, 2013
ruclips.net/video/myOU6-OVak0/видео.html
Now another argument against even hardware encryption. Is that depending on the drive, manufacture, design, etc. The same problem can happen. Which is more or less true. Again, many factors.
There is something called 'The 3 2 1 Rule.' When it comes to backing up files:
3 Copies of the file.
Stored on 2 different types of media.
Have at least one off site.
You buy enclosures and drives on the cheap. a 2TB platter drive cost less than $100. If you want SSDs, depending the implementation and technology. $50 to $200 for a 1TB to 2TB. The median income in the USA is about $35,000 gross for a single adult. Find a way!
I always recommend using both. Yes even with the known flaws in hardware encryption. Depending on the location, drive, and data on them. I often opt for both hardware and software encryption. If I choose one. It is software encryption.
Tracking your technology is a good idea. Making sure the bad guys will have to struggle horribly to access anything on it is another.
Now which software should you use? If you use software encryption, and you should!
Veracrypt is right now the leading open source option. TrueCrypt is its predecessor. DiskCryptor, A lovely drive only option, but I do not know if that project is ongoing.
You have PeaZip and 7zip as open source projects.
There are plenty of retail options, but it is retail. No, I contributed to all open software I use. Not the money, it is the trust issue.

No argument here.

I have a more flexible option for you. Use keepass or bitwarden. If you want total control. KeePass, but use kefiles also.
There are fork project and addons. That allow for keyfiles and FIDO compliance.
keepassxc.org/ is a popular version of keepass. The interface is what turned me off. Keepass 2.x is simpler to use and discloses all the options. At least that is my few on the software. It is my preference.
I do not knock it.

What do you use for your more important passwords?

What I found disappointing is that with earlier versions of Fire Fox. The developers frankly were lazy in implementing encryption with stored passwords. Not only did they use an older hash function. That is easier to brute force. They did not apply any iterations. Which means it was not even a serious consideration to security in that regard. I am glad that FireFox is 'finally' working to resolve this in the future.
The theme I have noticed in the past ten years is that some companies have taken lack luster or horrible efforts into encryption.
Take for example hardware encryption. By my count between 2014 and 2019 there are a few instances where companies effectively were lazy in how the implemented encryption. Some so lazy that anybody with any number of free tools and a little patience can crack your, 'security through obscurity measures.'
The only reason I am 'considering' buying upgrades with hardware encryption is 'layering.' No other reason. Yes, many hard drive with encryption are flawed, but it is also a though on threat models. If a common thief steals my hard drive. They will either sell the drive or wipe it for themselves. If they have to break through layers of encryption, it is harder for them to get the data. Until hardware encryption is implemented properly. You should always use software encryption if the data is sensitive. Regular drives cost less.
Software encryption always trump hardware encryption. Using a combination of the two is an economic choice. The implementation has been horrible with some companies. Samsung according the brief on their formal paper had the fewest issues. Next up was crucial. The best when using both is to make sure anything mission critical. That should not be compromised. Should be protected with 'software' encryption.
Your options are as follows:
1) Software encrypt the files.
2) Encrypt the entire drive with software encryption. Which will hit the performance depending the hardware and the software being used. Also depending on the software. You might have to choose weaker options with whole disk encryption.
3) Encrypted partitions of the drive. This is a viable option if you are concerned with the balancing act of security and performance speed. Remember you are potentially giving easier access depending on the threat to the device. Notice how software encryption is again the corner stone of these options. Let us say some asshole who has hacking skills steals your computer with crypt currency. Or has important documents like your tax returns or something. Or how about something worse. Work information. Like say you are a lawyer or something. FYI, I am not a lawyer but you would have to be a fucking idiot to not a) software encrypt your client files. b) Have backups of client files which also be encrypted with software not hardware.
Your computer is stolen. They look at it and will probably, depending on the hardware drive as of late 2019. May take days or weeks depending on the various weaknesses know to each type of drive. Note: There is one hardware configuration I have 'heard of' that might be viable hardware encryption. However that is in configuration of a particular manufacturer.
So they break into your hardware encrypted drive but will no either find encrypted files which should be way harder to break. Or encrypted volumes, which themselves will be harder to break. Unless this person is going to commit more time and money to seeing if you have any data on it worth stealing. They will probably wipe the drive.
There is also the consideration of the thief profiling you. Remember the smarter thief will choose their targets for gain. Typically you can Gage a persons immediately. We are focusing on what the criminal can steal an gain a quick profit off of. Cash, jewelry, phone, etc. Same thing goes for home invasions too. If a data theif thinks you are worth the effort they will take the time to steal your tech and pound on it. Other times if they might take a quick run down on the device and see if their might be something of value.
Also consider your probable threats. A common robber normally does not have the skill sets or time to try to break your layers.
Think about all the people who are now fucked because hardware encryption was poorly implemented.
www.zdnet.com/article/flaws-in-self-encrypting-ssds-let-attackers-bypass-disk-encryption/
www.computerworld.com/article/3319736/bitlocker-on-self-encrypted-ssds-blown-microsoft-advises-you-switch-to-software-protection.html
www.computerworld.com/article/2995516/western-digital-self-encrypting-hard-disk-drives-have-flaws-that-can-expose-data.html
www.theregister.co.uk/2015/10/20/western_digital_bad_hard_drive_encryption/
community.wd.com/t/what-do-you-think-of-the-security-flaws-in-the-western-digital-security-encryption-on-our-harddrives/172354
www.scmagazine.com/home/security-news/encryption-flaws-in-solid-state-drives-enable-unauthorized-data-access/
www.darkreading.com/vulnerabilities---threats/critical-encryption-bypass-flaws-in-popular-ssds-compromise-data-security/d/d-id/1333207
threatpost.com/samsung-crucials-flawed-storage-drive-encryption-leaves-data-exposed/138838/
nakedsecurity.sophos.com/2018/03/20/nine-years-on-firefoxs-master-password-is-still-insecure/
www.reddit.com/r/firefox/comments/9zwgkt/how_secure_is_firefoxs_in_build_password_manager/

I also use KeePassXC with Firefox add-on, but for synchronization of .kdbx file between devices you can use Google drive without problem. But before you do it secure your password database not only with password but also "Key File". Store this key file on at least 2 USB sticks/drives and plug in to computer only when you need access. Your database on Google drive with strong password and without Key File is perfectly safe because they not only have to break strong password (which is rather pointless) but also have key file. And you cannot even start breaking password without this file.

What you can do is use something like bitwarden. If you wish to have password shared amongst family.

Use bitwarden for your’e passwords and use geurillamail for a disposable e-mail generator

Good solution!

Your plan is flawed.
Paper has flaw. It is a tangible asset that can be compromised easier than a computer.
You have just disclosed that you use patterns to your passwords.
Paper can be stolen just like a flash drive can. The difference is. I can have a file on it that requires multiple vectors for access.
For example, let us take keepass as an example. My password can be as long as I want it to be. Remember randomness to a computer is anything it has to 'compute.' If you want to be lazy but efficient with the password to your keepass file. You can use something called diceware. Where you use strings of random words.
Guess what if you have enough words you can form a sentence. You can then add salt and peppers to that sentence. That you alone know and nobody else. Sentences have spaces, puncuations, numbers, etc. Guess what you now have a long password with special characters. Upper and lower cases. Special characters and can remember those spaces count as special characters. Or you can relay on a peace of paper anybody can take from you.
O.K., now you have your secure password to your database. You have eliminated the first flaw in human capacity. That is lack complexity. How can you make it even harder? You can create key files. A keyfile can be any file it can read. You can generate them randomly, which is the preferred method.
- If you use a password manager such as Password Safe. Another open source project. You can use YubieKeys.
- In my opinion the keyfile is reasonably more secure because you can create a number of them on the fly anyway you can create a file. So a master password plus x number of key files is arguably more secure than a YubieKey. Since it must remain tangible. Although in my security upgrades I might use one.
So now you have your super long and complicated password. Your key files or hardware key. Now you have a database. What are you going to store in that database? Long and complicated password that are derived from a seed from the manager, but also from various factors of your computer. So clock speed, RAM, etc. Also these applications allow you to add additional randomness . As a human you have mechanical limits. Hence why technology is a upgrade from these limitations.
Now a lot of people are hesitant to store data on the cloud. That is fine. You would and should just lock up the files in another layer of encryption. Whether that keepass file is on an encrypted drive. Or rapped in another layer of encryption like a zip file or something.
- If you are going to store the data on a hard drive strongly recommend either encrypting it in a encrypted compression like a zip file. Or a encrypted volume file for example VeracCrypt file volume. KeePass has passed most of its audits with minimal concerns. However, why take needless chances?
- As of me typing this, May 2019. Hardware encrypted drives have significant flaws. However, I have a few old and new. Depending on the environment I will typically turn the hardware encryption on. Keep in mind I software encrypt my external drives because software encryption is more secure than hardware. However if you wish, enable both. So now you added more security. Depending on which software encryption program you use. You can add not only passwords but keys. Which can be of either type.
Again that extra security layer. Depending on your methods is far superior than a piece of paper that can be taken from you. The passwords created by the software will way better than anything you keep in your head. Yes, obviously there are some passwords you need to remember! What I am saying is the less you need to remember. The better the rest of your passwords will be. Especially if you have to remember one or two things as opposed to many. Especially if you add extra layers of encryption.

This will always be a better option. But I personally believe that having people store paper is better than remembering passwords on webpages with no password manager. It just depends on the user’s needs even if it isn’t the BEST option necessarily

@@techlore I am still trying to recover the passwords to older files. My fault and I blame nobody but myself. Even using keys and key-files is a more logical option than paper.
Your data, so your choice.

@@techlore I had a similar exchange with others on other threads. My recommendation is to store backups with different passwords. Like I said I have screwed up more than once.
The simplest option is a dicware code. Which logically could be a sentence. A few numbers. Or the much more dangerous route. A weaker password but multiple keys. Which I never recommend.
There are some programs which I will not name. That allow for multiple users to access an encrypted asset. It allows for separate users and keys. This way before password managers. I speak this option for people who want have a backup of they data, but do not want it compromised. You know planned estates, corporations, etc.
Let use this famous story as an example:
www.npr.org/2019/02/07/692466456/cryptocurrency-exchange-operator-dies-without-sharing-passwords-with-anyone
Now if he would planned for this, but wanted the data secure. He could implemented it in a number of ways. He could have divided keys and portions of the password. Three ways.
1) Safe deposit box.
2) Law firm.
3) Wife.
That way he could have given them encrypted file on an m-disk. So you would need three people to open the encrypted data with the crypto.
Last I checked safe deposit can not be opened unless you are dead with a court order.
Legal, clean, and secure.
Legal.

If you have the knowledge and skills. Then go for it.

A passphrase is the best compromise since phrases are easier for the human brain to remember. You can use salts and peppers to pass phrases. The problem is that many websites do o.k. to crappy jobs securing passwords. We all know this in general.
Also you have to remember a computer can do a better job than a human with generating and remembering passwords. So the logical course of action is simple. For the passwords you must remember, passphrases are best. For passwords you do not have to remember. Use some sort of encrypted password storage system. In conjunction use a good password random password generator.
The third problem is that people want to remember passwords that are not mission critical. If you do not need to remember the password, store it in an encrypted password storage of some sort.

In context, they are synonymous. Only somebody complete ignorant or is an idiot could not figure out password and passphrase are interchangeable. When discussing this.

DavidFish is this on every phone? Can’t find this option on my 6P

@@techlore I have this option on stock android P ;). You can find it in Settings > Security and Location > Lock screen preferences > Show Lockdown option

I no have that

@JADFcentral less secure yes, but I would trust them to some degree with 2FA enabled (for non IT people who cannot keep a database file/KeePass in sync). Reason is of course without 2FA your account is accessible from anywhere.

2FA is the very next lesson. Patience young one 😉 The end of this video says 2FA is arguably just as important as a strong password.

If that’s what works best for you then yes!

Nothing wrong with that at all. Most people I know would not do that at all. Here is my suggestion.
Keep that as your primary, but when you need to access that file. Or backup your data. Try to do it in multiple formats.
The advantage of using open source programs like KeePass or Password Safe are many. One of them is that the files themselves have their own built in security. We can argue back and fourth how secure it is. The point I am making is that you can transcribe the data to a key file. Keep a backup on your phone. One that is available to access. The other encrypted in a zipfile. You phone should be encrypted. Your phone password should not be the password into your encrypted password file. So that alone has two layers of security. If you are just backing up your files on your phone. You now have three layers of security.
I have backups of my passwords stored in alot of places and have and currently upgrading how I secure the files. I will not go into to much detail.
Again, see nothing wrong with what you are doing! I just see it as limiting your workflow. If you are at home and your computer is locked down. Great, but if you are on the go. You need reasonable secure alternatives.
If you have to unzip that file. That is a security risk on your mobile device.
So I personally recommend you use something that is secure for your mobile or public environments.
Thank you for actually using common sense. I can not get people to what you do or better.

... Just expanding and simplifying my initial response.
I would would only suggest what you do for a backup file. In an alturnate format. I backup my stuff in different formats. So here are my suggestions:
1) The best option is to use a password manager. As your work use file. Your initial idea should be for backups. Should you need to restore, transfer or reconstruct the databse.
I would recommend keepass, password safe, or bitwarden. They are open source.
2) If you want to go the zip route:
-Which I do not recommend when accessing your passwords for everyday use. Once the file is extracted. It can be compromised. Even if on your phone.
Hence why if you do this. Have an encrypted USB drive with a self contained zip extraction tool. Hardware encryption even now is notoriously flawed. Do the research if you do not believe me.
Again for backing up your password data. It is not a bad idea. Outside of that. I would not recommend it at all. Find a good reputable password manager. Preferably open source! That has been audited.

Waffles i think you can do that with keeppass bc they store your passwords on your hard drive instead of the cloud

That is a problem.
Yes, length does help with a password. However anybody who has the hashes of your passwords from websites.
Knows you fit a standard demographic:
Do not use length.
Do not use special characters.
Probably do not use upper and lower case.
The weaker your attack surface. The easier it is to break your hash.
This also tells me that you are trying to remember all your passwords. Which may not be true. However would not surprise me if you are. Which means once one or two of your hashes are compromised. They can figure out what you did and backward engineer it.

My personal opinion is to go open source with your primary password manager.
KeePass
Password Safe
You can try to use online based management systems if you travel. You have to analyize your threat vectors. If you are a frequent traveler. Data lite efforts might be advisable.
1Password's "Travel Mode" Security
TWiT Tech Podcast Network
ruclips.net/video/0mI_kii2gqU/видео.html
www.schneier.com/blog/archives/2018/07/1passwords_trav.html
Unless you are going to commit all your password to your head. Which for most people doing this and creating dozens of strong and secure passwords is not very fucking likely. Not impossible, but most people are not going to spend the time and effort required to successfully pull that off.
Total anonymity? Not possible unless you start new accounts from scratch.

Using a password manager. Creating a master password. The answer is as long as possible.

KeepassXC is a fork of Keepass. It’s more frequently updated so many people choose to use it. Completely your call

@@techlore thank you for your reply I mean before privacytools.io recommend KeePass but now if you check they replace it with KeePassXC not just privacytools many other websites remove keepass and recommend KeePassXC I don't know why?

You can, but keep in mind this is a very easy avenue of attack. Safer to separate your passwords from your browser with direct access to the internet.

@@techlore OK thanks for replying so switching to Bitwarden now...

No look up the data on how it was thrown in. The effort was more or less shoddy work.

You can 100% use KeePass on your phone...

@@techlore I see they do have a mobile app but it appears to have some issues syncing the database based on the reviews for it. Maybe Bitwarden would be a better option for me.

Most of the people I know, seen on the street, etc. Are lack luster to garbage.
1) Most use biometrics as a single factor of authentication on their devices. This is beyond fucking stupid if you give a shit about security.
2) Most use PIN codes instead of passwords. The potential strength of a code is greater if you use a password.
3) Many people do not encrypt their phone. Of course you have to exclude Apple Users since it is turned on by default.
4) Most people do not encrypt their microSD cards.
If I ever used biometrics it would be part of a multifactor system.

It’s the very next lesson of the series

he's referring to cloud sync, not simply uploading / downloading the file, that would be stupid. if you lose access, you still have the file locally.

Exactly. You can make several copies of your database, including a local backup.

Did you see in the video it flashed up several times “ not all password managers are created equal - try out Bitwarden”. The reason the video said this is that it is not proprietary software it is free and open source (FOSS). For that reason, this makes it loads better than the others. I’ve been using it for ages and it’s absolutely fantastic

Thanks for your reply honest i didn't find it on the video but on privacy tools.

I have not used it. However from what I have read and seen. I would recommend it. Open source, so please donate to the project! Plus if you have a family, it cost twelve dollars a year for advanced features.

Really 0 reason to use it IMO-that goes for any paid closed source password manager. Use bitwarden if you want a free and open source password manager with simple cloud syncing and integration, or keepass for something local

Bitwarden is open source. Don’t trust any company, trust code that’s viewable to the public.

Also KeePass does work for iOS. What’s not working?

Techlore Well, no official version, no trusted community fork, some like minikeepass pulled off the app store, etc.

You have to conduct threat modeling.
Any password that is not in your head. Which should be almost all of them. Should be in your password manager.
If you hear of a data breach on a site. Where the hashes were stolen. Change the password.
If you hear of a site that stored your password in plaintext. Change the password.
If you had to give up your password or if you know it was compromised. Change your password.
If your device was hacked. Change your password.

Thanks!

Using a password manager really isn't that impractical. For many, it makes life much easier and organized.

Never use the browsers built in password manager. Unless you have no choice.

I know! No more delays 👊

You say that like it is a difference. There never was a difference. A password is anything the application allows you to use.

Yes and not. I would still recommend putting in number s and symbols. Larger character set means more guesses.

Lmao

This is a year ago, but lets go over what you did and did not do. For future users.
1) Did you enable all recovery options absent SMS? You should neve use SMS unless you have no other choice.
2) Did you export the database to plain text? Or a .pdf file? Obviously you would be encrypting that backup in a veracrypt volume of course.
3) Did you have your OTP option enabled? OTP is something like Google Authenticator.
4) Did you periodically transcribe your data to a keepass file?

240p 😆

144p 💀

You treat secret question answers like passwords.

Ay

@@techlore how was your day then?

No u

@@techlore That's hardly funny mr. Please reconsider your choice of vocabulary next time.

Complexity is extremely important.That is not the only thing that matters

@@techlore It is a myth, this comic explains it well: xkcd.com/936/

Just to be sure Don’t use words from the dictionary.

@@justinw8716 No, please use words from the dictionary. For example river-bird-hexagon-kappa is a supersafe password

@@nero1810 I have a notebook so I could just write it down if it’s too complex