Even password managers can be hard. They are wonderful when they function as expected. When they do not it causes major problems until you can figure it out. I use a password manager for all non-money related sites. For money sites I keep a written record securely locked which simply reminds me of password structure. Any third party finding it could still not figure it out.
Password. managers need to rely on analysing a web page in a browser for user and password entry fields. They may fail in doing so, as there is no standard web sites can adhere to and password managers can rely upon when doing their work. All password managers have is intruding into web browsers, look at the pages you are loading, find the username/password fields based on heuristic rules and fill them. This has been a technology applied for a decade now, and it did not got any better. And it is so much bailable by any means. Thw upcoming alternative to resolve that issue (among others) are passkeys. They can rely on a standard to work - either a browser supports that standard or it doesn''t (all major browsers but Firefox (which I find very disappointing) do today). And third party password managers start do it as well, and it does not require all of them to figure out what is going on und supposed to happen by analysing web pages - passkeys are a well-defined standard including web-sites accessing them for login: they simply place a well-defined javascript-statement on their page.
What exactly do you find hard about password managers, if I may ask? I use KeePassXC which is one of the most trusted password managers and it's pretty easy to use.
@@almuric1baggins337 Too much work. I have around 400 hundred accounts. I also as a person in IT use 20+ devices on a given day which can limit the options.
I’ve used a password vault for many years. And then it was breached. My husband thought I should change services. I felt that at least we know this one is now beefing up, where the rest are still unknowns as fas as security.
Really bad idea store it in the cloud. Store it locally in an external disk mirrored in a file encrypted with AES. Just in case, print it and save at home in a secure and hidden place
Or for computer sites - Memorize a list of 52 characters. Make it words and numbers. Example: 1Jerky2Party3Green4Horse5Sugar6 Banana ... It doesn't take long to memorize and you can use it forever. Completely uncrackable by any advanced method.
Leo, Is there any concern when you copy a PW from a Vault and past into a site? Should you delete copied passwords and what is the best way to do this?
If it's literally you doing the copy paste, a) the risk is miniscule, and b) simply copying something else into the clipboard would remove it from there.
When i was a newby medical student 5decades ago...to remember complex anatomical structures we used mnemonics as an aide de memoire....now i remember esp the 'bawdy ' ones!....so even algorithms may be forgotten....
With Apple tv's no more typing in passwords on the screen setup iCloud keychain then calling up the built-in remote app on the iPhone select that apple tv then it will ask or a password on the iPhone select your account password from the autofill it will fill in the password this gets around hand typing period
in an "ideal world" you would not use a password at all, but authenticate yourself with a key. yet its 40 years down the internet road and microsaft still doesn;t know how keys work. the "problem" with password managers is, that you put all your data at a single point of attack.
Hi Leo, really enjoy your videos. I'm wondering what is your take on auto generated passwords such as the ones Firefox offers with auto log into each account that it creates a password for.
As long as you can configure the password to be sufficiently complex, they're great. I use 1Password's generator. Here's an example: o2EYjUJHryXFCgxvZ8UT
The best approach for password managers is to add the samd few secret characters to the beginning or end of every auto-generated password. Then if the vault is hacked it does not list your full password.
Problem I have found with some password. Managers is the ability to save the complicated Auto Jen password. Sometimes there is an automatic prompt and other times. There is nothing.
How safe is a password vault./ manager...if that is hacked or down a user will be stuck....best is to keep a written list of the passwords in a physical 'vault'
@drdr73 and @askleonotenboom I've thought about this a lot over the years. Keeping a written/printed password hidden in your living space is an X-factor more secure than in an online location. In my case I have hundreds of books and I could also buy or make a "Book Safe" to store a notebook or business card holder with the passwords in it. If thieves break in, their main concern is to smash and grab easily re-sellable items such as jewelry. They'll even grab your pillowcases to load up the items and then get out fast. If you have a can in your pantry with a password book inside it, they will not even look for it. All you have to fear is a house fire, flooding, earthquake...and that you keep your list up-to-date with your online manager. I also store USB drives and memory sticks in a container in the pantry instead of leaving them on my desk or desk-drawers. There are videos for making hidden "safes" on RUclips as well. For that matter, if you have relatives living somewhere else, they could keep a backup at their house. I just watched another video that recommended using a business card holder and keeping your passwords on their own cards and if you update certain fields either replace the card or use pencil to write down your passwords so you can erase and update them. I also would have a field for when I last updated the password as I try to do that almost on a yearly basis. I do like the idea of using an algorithm, which I've actually started doing a year ago or two. I include hints of the website/business name and also a hint at when the password was updated. I use Nord's "How Secure is my password site" and according to their estimates, you can get a 30-years+ secure password in thirteen-fourteen characters. As I get older, it's harder to remember things so if your parents are having memory issues, you might consider that it may be in your future as well. Thanks Leo!
Do password vaults work in an Enterprise (Microsoft /Windows) setting when logging into on-premise, business software each with different usernames and passwords while adhering to company policies such as password length, password expiry? Examples of such software include Accounting, HR, Payroll, etc that staff have to routinely use.
You need to get slightly more sophisticated, so will need at least four. One for your computer, one for your phone, one for your password manager, and one each where compromise might cost you huge financial losses, such as your bank account.
Password 'managers' or 'vaults' do not work- you are often required to enter particular characters from your password. They cannot do this. My bank wants both this and specified numbers from my numeric code. Another fail. They can also cost money- which a password protected Excel file does not. And that, if all it gives is personal hints, is more secure than a password manager- they have been hacked before...
i suggest eliminating passwords- i can never remember them! and go to a short series of personal questions you can answer. also i have no idea what you mean by "vault" !
Yeah, but if someone somehow discovers your passkey password, aren't you then effectively as vulnerable as someone who used the same password for everything?
So in other words, they only need to know the password of your vault. Meh, bad way of doing things, especially our passwords for bank, paypal and the likes, should be passwords that need to be memorized.
Yes, but it needs to be 32+ random characters. Most hackers put a time limit on how long they spend to hack your password. Then they move on to the next one.
I normally do 24 characters. 32+ sounds a bit excessive, no? Is a 24 character purely random password (including special characters) easy to hack nowadays?
@@bgtubber It just takes to much time. They can get into 5 or 6 for the time it take to break into one 32+. 16 is the norm now. Just put 2 or 3 random letter in it and that will stop 99.99% of the algorithm hacks.
Here's why I do not trust "use just one password" for a password vault: The password manager fails too often to properly fill-in the correct password for person's username so the person still must either do some extra clicking OR enter the needed password using the keyboard. Even so, I myself do use a password manager with a "vault"; this vault having its one chosen password.
Oh I left out part of something I meant by insurance use the same password on everything if one site gets compromised change password immediately insurance will cover anything else
We all know that passwords are static therefore they can be stolen - e.g. via a keylogger. The best solution would be if sites displayed a fresh code every time you want to log in and your personal, PIN-protected HW key would display the one-time password for you to type in manually. Simple, secure.
Several password vaults have been hacked in recent years they are no longer the safe and best bet. The algorithm is a good idea but over time your passwords will show a pattern that is not difficult to crack. The best way to deal with password authentication is to use a long phrase that is easy to remember but is nonsense. Couple that with MFA/TFA using your mobile to receive the chalange code. Until the industry implement passphrase technology. And by the way, use a Linux PC for your personal and sensative data. I run Windows for various none sensertive work. And a Linux box to access personal data sites.
"Several password vaults have been hacked" - please provide your sources. I don't believe "several". In fact, I know of only one compromise, LastPass, and so far NO actual password data has been confirmed stolen that I'm aware of. Password Vaults remain more secure than any of the alternatives.
Use Just A Single Password For Everything...sure...losing or some one PERMANENTLY BORROW that password...you will also LOOSE EVERYTHING..yes this "intelligence"
And of course, never write down your vault/master password in a text file or on a piece of paper! That's like locking your house and putting the keys under the doormat. 😄 Even if nobody finds it, you could lose it. Just memorize it and make sure it's long and not simple to guess. Add symbols and numbers too.
Dislike. You CANNOT use only one password everywhere! Done on purpose, of course, but the proper description is “use only one password to open the rest of your passwords!”. Clickbait is needed for some “creators”, but what kind of idiot crowd can this bring?
It’s possible; just not the way you think.
Even password managers can be hard. They are wonderful when they function as expected. When they do not it causes major problems until you can figure it out. I use a password manager for all non-money related sites. For money sites I keep a written record securely locked which simply reminds me of password structure. Any third party finding it could still not figure it out.
Password. managers need to rely on analysing a web page in a browser for user and password entry fields. They may fail in doing so, as there is no standard web sites can adhere to and password managers can rely upon when doing their work. All password managers have is intruding into web browsers, look at the pages you are loading, find the username/password fields based on heuristic rules and fill them. This has been a technology applied for a decade now, and it did not got any better. And it is so much bailable by any means.
Thw upcoming alternative to resolve that issue (among others) are passkeys. They can rely on a standard to work - either a browser supports that standard or it doesn''t (all major browsers but Firefox (which I find very disappointing) do today). And third party password managers start do it as well, and it does not require all of them to figure out what is going on und supposed to happen by analysing web pages - passkeys are a well-defined standard including web-sites accessing them for login: they simply place a well-defined javascript-statement on their page.
What exactly do you find hard about password managers, if I may ask? I use KeePassXC which is one of the most trusted password managers and it's pretty easy to use.
I do the same. I don't trust my cloud based password manager to protect my financial sites because they have been hacked multiple times.
@@drescherjmDid you ever think of changing your password manager! Doh!
@@almuric1baggins337 Too much work. I have around 400 hundred accounts. I also as a person in IT use 20+ devices on a given day which can limit the options.
In an ideal world, there are no hackers and identity thefts.
I’ve used an algorithm for 20 years and never had a problem.
Thanks, Leo! (I’m really liking your videos.)
I’ve used a password vault for many years. And then it was breached. My husband thought I should change services. I felt that at least we know this one is now beefing up, where the rest are still unknowns as fas as security.
Keepass - very happy with that one.
In an ideal password we wouldn't need passwords!
In an ideal world we would not need passwords
Really bad idea store it in the cloud. Store it locally in an external disk mirrored in a file encrypted with AES. Just in case, print it and save at home in a secure and hidden place
Or for computer sites - Memorize a list of 52 characters. Make it words and numbers. Example: 1Jerky2Party3Green4Horse5Sugar6 Banana ... It doesn't take long to memorize and you can use it forever. Completely uncrackable by any advanced method.
What happens if a hacker gets in to your pass word manager? Can they now get into every sight that is stored there?
The answer is yes, they would have access to everything. The question is, how do they defeat AES 256, which protects all good vaults?
Leo, Is there any concern when you copy a PW from a Vault and past into a site? Should you delete copied passwords and what is the best way to do this?
If it's literally you doing the copy paste, a) the risk is miniscule, and b) simply copying something else into the clipboard would remove it from there.
When i was a newby medical student 5decades ago...to remember complex anatomical structures we used mnemonics as an aide de memoire....now i remember esp the 'bawdy ' ones!....so even algorithms may be forgotten....
Your advice or idea of an algorithm for choosing a password is excellent. I also have my own decided algorithm; but I am not telling what it is.
why not 😀??
still my secret! @@Beavis-et8ox, but you can think of your own method.
Great, helpful video, Leo, thanks for all your great help and information over the past year. I wish you well for 2024.
what about the windows 11 or iOS native tool?
With Apple tv's no more typing in passwords on the screen setup iCloud keychain then calling up the built-in remote app on the iPhone select that apple tv then it will ask or a password on the iPhone select your account password from the autofill it will fill in the password this gets around hand typing period
in an "ideal world" you would not use a password at all, but authenticate yourself with a key. yet its 40 years down the internet road and microsaft still doesn;t know how keys work.
the "problem" with password managers is, that you put all your data at a single point of attack.
Hi Leo, really enjoy your videos. I'm wondering what is your take on auto generated passwords such as the ones Firefox offers with auto log into each account that it creates a password for.
As long as you can configure the password to be sufficiently complex, they're great. I use 1Password's generator. Here's an example: o2EYjUJHryXFCgxvZ8UT
The best approach for password managers is to add the samd few secret characters to the beginning or end of every auto-generated password. Then if the vault is hacked it does not list your full password.
Problem I have found with some password. Managers is the ability to save the complicated Auto Jen password.
Sometimes there is an automatic prompt and other times. There is nothing.
How safe is a password vault./ manager...if that is hacked or down a user will be stuck....best is to keep a written list of the passwords in a physical 'vault'
Disagree. Even if the provider is hacked your passwords remain securely encrypted and useless to the attacker.
@drdr73 and @askleonotenboom I've thought about this a lot over the years. Keeping a written/printed password hidden in your living space is an X-factor more secure than in an online location. In my case I have hundreds of books and I could also buy or make a "Book Safe" to store a notebook or business card holder with the passwords in it. If thieves break in, their main concern is to smash and grab easily re-sellable items such as jewelry. They'll even grab your pillowcases to load up the items and then get out fast.
If you have a can in your pantry with a password book inside it, they will not even look for it. All you have to fear is a house fire, flooding, earthquake...and that you keep your list up-to-date with your online manager. I also store USB drives and memory sticks in a container in the pantry instead of leaving them on my desk or desk-drawers. There are videos for making hidden "safes" on RUclips as well. For that matter, if you have relatives living somewhere else, they could keep a backup at their house. I just watched another video that recommended using a business card holder and keeping your passwords on their own cards and if you update certain fields either replace the card or use pencil to write down your passwords so you can erase and update them. I also would have a field for when I last updated the password as I try to do that almost on a yearly basis.
I do like the idea of using an algorithm, which I've actually started doing a year ago or two. I include hints of the website/business name and also a hint at when the password was updated. I use Nord's "How Secure is my password site" and according to their estimates, you can get a 30-years+ secure password in thirteen-fourteen characters.
As I get older, it's harder to remember things so if your parents are having memory issues, you might consider that it may be in your future as well.
Thanks Leo!
Do password vaults work in an Enterprise (Microsoft /Windows) setting when logging into on-premise, business software each with different usernames and passwords while adhering to company policies such as password length, password expiry? Examples of such software include Accounting, HR, Payroll, etc that staff have to routinely use.
IT support for the organisation I worked for wouldn't install anything like that, but 1Password has a web interface so I could copy and paste.
@askleonotenboom What’s your opinion of using Apple Keychain as a password vault?
It's fine, as long as you don't need the info on a non-Apple device.
What if the vault fails? Like any other soft.
This is why you should be backing it up regularly. (And even if not you haven't lost access to anything.)
@@askleonotenboom , so, that means I need another password? For the back-up.
@@TroyQwert That depends entirely on how you choose to securely store that backup.
@@askleonotenboom , I hear you. What the back-up fails simultaneously with the "A-roll"?
@@TroyQwert Hopefully that never happens, but most recommend two backups: one local, and one off-site. So that's an extra level of protection.
Good tips & try to keep it simple for yourself too! 😊
Seems like a violation of the rule -- don't put all your eggs in one basket -- and dangerous.
Dont all important services have 2FA anyways? Even if someone has my password, why would it matter? They can't login without 2FA.
No. Not all do. And not all people use it when they do.
A lot of places have 2FA for logging in, and 1FA for changing your password. You can also get tricked into revealing your code to them.
I always choose the really really bad approach in all of my endeavors.
You need to get slightly more sophisticated, so will need at least four. One for your computer, one for your phone, one for your password manager, and one each where compromise might cost you huge financial losses, such as your bank account.
Can u give me 1 example of password
78V6hLEZvHjRBjLuXeZb
Password 'managers' or 'vaults' do not work- you are often required to enter particular characters from your password. They cannot do this. My bank wants both this and specified numbers from my numeric code. Another fail.
They can also cost money- which a password protected Excel file does not. And that, if all it gives is personal hints, is more secure than a password manager- they have been hacked before...
i suggest eliminating passwords- i can never remember them! and go to a short series of personal questions you can answer. also i have no idea what you mean by "vault" !
Vault is a password manager program that remembers passwords for you, like 1Password, Bitwarden and others.
Yeah, but if someone somehow discovers your passkey password, aren't you then effectively as vulnerable as someone who used the same password for everything?
So in other words, they only need to know the password of your vault. Meh, bad way of doing things, especially our passwords for bank, paypal and the likes, should be passwords that need to be memorized.
Yes, but it needs to be 32+ random characters. Most hackers put a time limit on how long they spend to hack your password. Then they move on to the next one.
I normally do 24 characters. 32+ sounds a bit excessive, no? Is a 24 character purely random password (including special characters) easy to hack nowadays?
@@bgtubber It just takes to much time. They can get into 5 or 6 for the time it take to break into one 32+. 16 is the norm now. Just put 2 or 3 random letter in it and that will stop 99.99% of the algorithm hacks.
Here's why I do not trust "use just one password" for a password vault: The password manager fails too often to properly fill-in the correct password for person's username so the person still must either do some extra clicking OR enter the needed password using the keyboard. Even so, I myself do use a password manager with a "vault"; this vault having its one chosen password.
use a pattern of keystrokes tthat mean nothing
Are you sure you are not working for some spy agency, because what is in the ether everything can be hacked, just saying
I would like to see the evidence that hackers crack passwords by testing character strings.
Does not explain what a password vault is.
Oh I left out part of something I meant by insurance use the same password on everything if one site gets compromised change password immediately insurance will cover anything else
We all know that passwords are static therefore they can be stolen - e.g. via a keylogger. The best solution would be if sites displayed a fresh code every time you want to log in and your personal, PIN-protected HW key would display the one-time password for you to type in manually. Simple, secure.
Didn't realize the first half of this video was a lecture
Welcome to my TED talk.
YubiKey anyone?
I have that but its not supported everywhere.
YubiKey is excellent as the *2nd* authenticator you use in addition to your password.
Several password vaults have been hacked in recent years they are no longer the safe and best bet. The algorithm is a good idea but over time your passwords will show a pattern that is not difficult to crack. The best way to deal with password authentication is to use a long phrase that is easy to remember but is nonsense. Couple that with MFA/TFA using your mobile to receive the chalange code. Until the industry implement passphrase technology. And by the way, use a Linux PC for your personal and sensative data. I run Windows for various none sensertive work. And a Linux box to access personal data sites.
"Several password vaults have been hacked" - please provide your sources. I don't believe "several". In fact, I know of only one compromise, LastPass, and so far NO actual password data has been confirmed stolen that I'm aware of. Password Vaults remain more secure than any of the alternatives.
@@askleonotenboom keep believing in fairies.
@@waynea4651 Yep I sure do.
Use Just A Single Password For Everything...sure...losing or some one PERMANENTLY BORROW
that password...you will also LOOSE EVERYTHING..yes this "intelligence"
I'm assuming you didn't actually watch the video.
Lose.
Oh, please just use one password. The hackers will love you for it!
instead of trah talking and talking give an example
And of course, never write down your vault/master password in a text file or on a piece of paper! That's like locking your house and putting the keys under the doormat. 😄 Even if nobody finds it, you could lose it. Just memorize it and make sure it's long and not simple to guess. Add symbols and numbers too.
Just use a simple password like 12345 so you can remeber it easily.
And get all your stuff hacked. 😂😂
Hey! That's the same password I use on my luggage.
Waste a LOT OF TIME saying nothing!
Dislike. You CANNOT use only one password everywhere!
Done on purpose, of course, but the proper description is “use only one password to open the rest of your passwords!”.
Clickbait is needed for some “creators”, but what kind of idiot crowd can this bring?