💡 Security tip: Do not store email credentials in the password vault, in case it gets cracked you still have your email secure to retrieve all of your logins...
Just remember people, if you get an email that seems to be from your password manager saying that you need to "verify" your account and they need your password, or if they ask you your master password for whatever reason, DO NOT send them your master password, don't click the link and report the email as a fishing email! It's a fishing attack! Your password manager should and will never ask you your master password.
Indeed. Also any password manager worth anything wouldn't even know your master password due to zero knowledge so that's another red flag if receiving such an email
Personal bookmarks. 4:55. True explanation starts. 5:25. Two derivations from the password. 5:47. Master password authentication; how it's used in the grand scheme of things. 6:31. How LastPass creates a master password; appends email | master password; hashes this many times. 8:36. A main idea! 9:06. Difference between OnePass.
Would really love to see an actual programming language or any subject tutorial from Dr.Mike Pound. love the way he conveys knowledge, so easy to understand.
I maybe understand 10% of what Dr Pound is talking about but he does it with such a passion and enthusiasm that I´m still clicking on the videos when I see his face.
You can look up articles and academic sources while you are listening. It is what I do. I am not an expert either, but I made some remote effort to understand.
@@GRBtutorials App Lockers are typically integrated into the application. App Lockers are also associate with android antivirus software. Note: The ones I will be referring to unless stated otherwise. Are the app 'blockers' associated with android devices via third party antivirus security programs. It is not encryption, more of a stop gap measure. For example, let us say I am on a train and I setup an app locker. Somebody runs off the train and snatches my phone in the process. However my phone is not locked. Most of us do not completely log out of our phones' mobile apps. Keep in mind unless you are using an application specific locker. This just prohibits them from interacting with the application directly. The application is indeed 'open.' A decent hacker could bypass the app locker; or blocker as it should be commonly called. This will give you time to lock and wipe the device. Keep in mind you can find third party 'standalone' versions of this. My personal recommendation is that is if you are out on the town. Try having two that overlap with each other say in 1 minute and 30 second intervals. It will make it much harder for a common thief to access your applications buying more time. If they keep your phone active the phone will not lock until you get to a computer to remotely do it.
I would love to see an open-source password-manager core, and the companies use this core on their services, just like Signal does for messaging. This way we can be more confident about the implementation details of those architectures.
For those hailing from the future, which is unlikely given the age of the video but here's hoping. You can use KeepassXC or any KeePass variant as a password manager without sync, then use Syncthing to sync the vault across devices. No server needed!
A scammer once created a profile for something without my consent and put the password as "123456". I changed it to something really complicated that I would forget.
I use KeePass and for the most important passwords I also include a last sequence of characters which I memorise, then even if someone has access to my database they won't get the whole password.
The key (get it?) is not select a password manager which will not entrap you to a perpetual subscription to function. e.g. they keep your vault in their paid cloud service. You don't want to be caught out that either a missed payment or the company having an operational issue separate you from your password vault. Always select a product which allows you to control where the vault is. e.g. I use 1Password but elected to use a local vault and then I use Dropbox to sync between devices. If I decide to use another cloud storage provider, I can move the vault freely. Also, most of these products don't read each other's formats so you can easily migrate between products should one raise their prices or go out of business, forcing you to start from scratch. Customer lock-in is evil.
Agreed on your concept of customer lock-in. Almost all password managers, however, have the capability for you to export your entire vault into a file, which can then be imported into another password manager. As a matter of fact, I don't know one that doesn't have this function, although I'm sure they exist. If they do, those are the ones I'd never use.
Gregory Booth It may have an export function but more importantly, how can other products import the data? The database schemas are different. The devil is in the details. If you have to tweak a large number of imported entries then the “feature” isn’t really a feature.
@@lohphat The data is 'decipherable.' KeePass (depending on which version you use) allows you to export as customized .html file. Yes, I would have to 'reconstruct' the database. However it is salvageable. You should be backing up your database in different formats for logistical reasons every time you backup the file. The 321 rule of backing up still applies. Three different copies. Two different media formats. In this case types equals file types. KeePass allows you to 'print' your password database file. Microsoft for example allows you to print to .pdf format and .xps format. You can also save screen captures of your database if you want to take the time to do it. - Not to mention the numerous applications that allow you to export, print to, etc. You should be saving the last few versions of keypass on a disk somewhere. So if you 'need' to port the data. You would still be able read it. It is all about redundancy.
I don't really understand this. Where would you put this vault like on your MacBook, or external hard drive? And how do you secure it there? Trying to learn, but I am new to all this.
Well, I use my password manager for most things but I'm a bit paranoid and I do have 5 passwords that I just remember: Laptop, bank, email, phone, and. of course, the password to my password manager. (I guess phone and laptop are also practical; can't get to the password manager before I turn them on anyway!)
Not that you really need to even worry too much about the strength of your laptop or phone passwords. If someone has physical access to the device, all bets are off anyway. They don't need to ever learn your password to get access to anything locally stored on the device. Web-authenticated services (like your email) would still be safe though, I think (would have to see what is/isn't stored locally).
@@totlyepic Not *strictly* true, yes in the vast majority of cases 'if you hold the box you own the box' but things like fully encrypted drives, full secure boot / locked bootloaders, etc. mean that data can still be secured!
KeePass would be the best option here. It was audited by the EUFOSSA project. No Cloud to worry about, all local. You can save it anywhere, including the cloud if you wish. If you really still want a cloud based manager for convenience, Bitwarden is the way to go. Thanks for the video!
I have a some methods. I already do this so it's pretty safe. Method1: Map all the English alphabets to some unicode characters that which you can remember. Basically you invent your own cipher. Then create some app/program in c++, rust which can convert any english txt file to the unicode mapping txt file. Print it on some card and keep it in your purse. Same can be written on paper. Only you can understand it. Method2: Put all your secret stuff in a file. Encrypt it using some program or your own custom program. Keep the program binary in private github repo. Deny all outbound connections in your machine. Keep the encrypted txt file anywhere you like, can be gmail. It's takes some effort to protect valuable things. Don't go for easy options.
Very simple way how to vastly reduce possibility of damages when your main password leaks - when creating password for some site, let the password manager generate a strong password, save that to the password manager, but than add some static part at the end of the generated password that will be saved to the actual site but not to the password manager. The part you added will be the same for all of your saved passwords and you will have to remember it. This way, even if your password DB leaks somehow, the passwords themselves wont work and it still keeps most of the convenience of password manager.
Being a software developer, I really like Pass. It's open source and leverages GPG and Git -- two things I use every day anyway -- instead of reinventing the wheel.
I've been through a few password managers (LastPass, 1Password, KeePass, and even storing a text file in a TrueCrypt/VeraCrypt mounted container) and found KeeWeb to be the best balance of security and useability.
You say there are three methods of keeping passwords, writing down, same password, or password manager. The best solution is to create a very simply formula that you can easily remember that creates unique passwords for each website. Off the top of my head, some base password that is easy to remember + some easily repeatable function (rule) that spits out a few characters to add to the base password. A hacker would have to have 2 hacked passwords + do specific code cracking to figure out your function
@Computerfile: I feel that trusting larger password managers with sky storage is not about trusting the company to do the right thing. It is more about betting on who will be winning the fight when they make themselves a target, since many people will have a huge interest in gaining access to such information. They could become compromised by hackers employed by criminals, governments, or other people in power. Even while the cryptography is strong and sensible, other stuff could still happen, like modifications to the client software which would act as a trojan and not only protect the passwords as regular, but also supply them to a third party. But you are right. For everyday Joe the benefits of a non-effort password manager outweighs the small risk of putting all eggs in the same basket when the security is so strong.
It depends. For instance, I use KeePass. If I forget my database password, I'm 100% SOL, whereas LastPass does offer recovery. I would argue that this is a security weakness, since then there are options for malicious actors to access the password DB more easily. So while I do maintain a cloud-storage backup of my password DB, it is protected by multiple passwords- the unique password to access the cloud service, and the unique password to unencrypt the password database. While a breach may be possible, it is still more secure than having a recovery alternative. And the likelihood of me forgetting the KeePass password is nonexistent, since aside from my phone unlock password it is the most frequently used password, and if I forget something I'm typing several times per day I likely have larger problems.
With google your devices are part of a sync to where they all store your data. In what way they are encrypted in storage I don't know but it is NOT based on your master password. Thus resetting the master is just a matter of creating a new cloud sync with the existing data on the device.
@@zrobotics Hi, zrobotics. I'm a new KeePass user. Where or how have you been backing up your KeePass database and private key? Do you trust backing them up to a web server or cloud storage, or have you been keeping them on offline harddrives?
I'll just say that I will never trust my passwords, password vaults or personal data with any company, individual or scheme that offers something along the lines of "master password recovery". If anything even remotely close to that is possible, it is, in security terms, a situation equivalent to storing all of your passwords in cleartext on a single server accessed by arbitrary people.
I use a password manager. But I also use/have used another system that have made me have unique, complex passwords for every service, that I remember and dont write down. I simply come up with a default complex password. Then I incorporate the service in question in some decided manner. One example could be the domain name perhaps with alternating small and big letters and some letters exchanged to numbers. Now when you reach a site you will know your unique password for that site simply by knowing the sites domain name and your own personal rules for your password.
Choose a password manager that supports security keys like Yubikey. That way an attacker not only has to guess your master password, they also need your physical key to authenticate.
A password manager sits above all browsers that you may have stored different passwords for you. It's also sits above all devices that you may have for example between Operating systems, PC and mobile devices.
You can use KeePass with the IOProtocolExt extension to sync it via WebDAV with various cloud providers. It even provides synchronizing if the KeePass database was updated on the server I have it set up so whenever I open KeePass it prompts me for my password which is stored remotely on my Nextcloud server. It retrieves this password database via WebDAV. And each KeePass installation has a separate key in Nextcloud so it can download the file. The password database file is also locally stored using Nextcloud client, but it is safer and faster and safer to write to the database via WebDAV.
Thats the beauty of Keepass. You own it completely and use it however suits your use case. I have my devices (laptops and smart phone) sync the keepass vault via a backup copy on my home DNS server over sftp, but only from within my LAN. My devices don't sync when I'm not home, but it means my database never leaves any of my hardware.
Another option is using a long structured password with small variations. That way they are all different yet easy to remember. Example: Service: RUclips ---Add 1 letter---> Zpvuvcf Base password: Something_With_"$%&!"_and_"134679" Then you merge them: Something_With_"Zpvuvcf",_"$%&!"_and_"134679" So there, you have a somewhat secure password and easy to remember. You can make it longer, shorter, with more simbols or mess it a bit up. Also, as the letters seem random, you don't need to worry (too much) about someone getting the plain-text password in a data leak. Most likely no one will understand what "Zpvuvcf" means.
If you're worried about a password manager breach, just encrypt all your passwords by hand before storing them in the password manager. Sure, it's more work than just keeping all your passwords in a handwritten book, but you also get to show off how cool you are to your friends.
I can not tell if you are joking or not! What, that does not make sense on many levels. In case someone is seriously considering writing down their passwords in a book. 1) First off, one of the important reasons everybody recommends a password manager. Is because the software can create a completely randomized password. Encrypting by hand involves your human brain. Which for this tasks is way more inefficient. 2) Books are not bad things. I cringe to this day when I see somebody throw away a book. The problem is storage, security and convince. Software is superior.
@@jamesedwards3923 Yeah it's a joke lol. The actual secure way would be to take the generated passwords and write them in a book. You'd still have to keep the book secure, but that's usually not a problem.
I use KeepassXC and it's quite convenient. It can perform autotype, that's all I need. The database file itself is synchronised between my devices using owncloud.
Thanks for your recommendation, this project looks quite decent. I use owncloud for calendar and contacts as well, so I'll probably stick with that, but thanks anyway.
Yeah I heard something like "You can use KeePass at the loss of some convenience" but I didn't understand what the loss of convenience was? AutoType based on window title works great and is SURELY safer than trusting my browser / plugins to not have any security holes?
Remember one good one for your main email and have password manager for other sites. If you lose the password manager, you can easily just reset the password with your email.
I think KeePass is the best solution. You have control of the vault yourself and you can have two different keys for the vault - you can have a keyfile and a master password that are both required to open the vault. This means that you could sync the vault through online services, but only move keyfiles through offline methods. Also, another thing you can do is have different vaults for different levels of passwords. For example, you could have a vault that only stores your unimportant forum logins and what not and then have a separate vault that includes more important information.
*Master Password* is a great password manager for those who are extra paranoid. It's free as in freedom software (so not _just_ simply open source), and it will work even if all your devices simultaneously combust or something. It _generates_ passwords based upon your master password and name. This means it's not stored on some cloud service where the NSA has full access to it, and it's not even really stored locally.
@@KanalMcLP Nope. You can just increment a number associated with that site/user and you'll get a new password. To change your master password however would probably require all passwords to change.
I have two passwords written down in a notebook, hand-encrypted (weakly, I admit, but I have to decrypt it entirely in my head when I forget one or the other of the passwords). One is for my keepass database, the other is for the cloud storage service (no I'm not telling you which one) I use for the sole purpose of backing up that database and transferring it between devices. There's a lot of other files on that cloud storage account, but they're all random data with similar filenames to the actual database. You know, for extra obfuscation.
I have a better idea. Use that code you wrote down as the second authentication. What do I mean? Do not commit your cloud storage to your head. It is a bad idea, because your cloud storage password can be 'compromised' any number of ways. Your keepass password, committed to memory is a lot harder. Put your keypass file in another file encrypted. Congratulates you created at least three factors of authentication. One is your external encryption password. Then you have your kepass password. You also have a keyfile. You are welcome by the way.
Always enjoy these videos. But can you talk more about account recovery keys? Or master decryption keys and how they work. A lot of these services have methods to recover your account incase you lose your master password with master keys, how do those work?
Everyone is mentioning keypass as their offline password manager of choice, but I personally am happy with (gnu) pass. I like the convenience of my gpg key being my master key and syncing across devices using git.
They are definitely stored in plain text for Chrome and Firefox on Win7 and 10, at least. If you right click a password box, inspect element, and change this field: type="password" to be type="text", you will see your plain text password. Which is why I don't let browsers save my passwords.
Browsers will encrypt passwords on disk. I dont have a huge problem with them, but I just find syncing between devices easier without tying to a browser. Or maybe if I get a new device. I personally would also rather avoid Google having my passwords, simply because it also gives Google a list of sites I think are important. Just one more thing it learns about me!
@@flateartherpaintball5214 I just tried this on the latest version of Google Chrome on Win 10. All I got was a blank box (I even tried copying it in case it was unreadable and all I copied was some spaces), to make the password visible I had to click the button for it, and then use my full windows login to confirm I wanted a password to be visible.
@@flateartherpaintball5214 How the browser shows it in a form has nothing to do with how the browser stores it on disk. If it wouldn't do what you described, you could literally not use it, as it needs to in the end send it as plaintext to the server.
SharpScripter The only "graphical passwords" I have heard of are basically disguised onscreen 9 or 12 key keyboards with limitations in what numbers you can enter. So really weak passwords for people who don't read so well.
All these Password Managers were far to complex for most of my family who didn't understand many of the features and just wanted something they could use easily. My Password Book for IOS devices was ideal and did not require any third party registration.
No disrespect at all. I am a blunt person. Again no disrespect intended. The flaw with using built in browers password managers. Is that if the account is compromised. The passwords are compromised. That is not the same if your use a program like keepass or password safe. Even if you choose to use a 'retail' password manager. That is at least a seperate account. On a seperate service. Also based on my personal experience, reading, observations. Your statement suggest that their passwords to their IOS accounts are garbage. Unless their elderly. Have memory issues. Or the like. I would never recommend it to anybody. I have known, conversed, or read about people. Whom have had their password managers hacked. Most of the time. It was due to poor 'basic' security measures. On top of that. Garbage passwords. One thing to get hacked. However I am tired people telling me. They were hacked, but the adversary did not have to put any real time or effort into it.
Okay. But if KeePass decide that the project is too much and server costs are too high, and shut down, I can keep using their program AND I can get all my passwords back. A cloud service? Isn't free and is a weak link in the chain. If you want to use KeePass across devices, employing a well-configured gdrive and Google's Backup and Sync (or another cloud service), will ensure all your devices keep their key vaults up to date.
Keepassxc file inside encrypted file container + mega.nz cloud is a great option. The keepass file is encrypted, the file container can be encrypted with multiple layers using different methods, the cloud account is encrypted, and also free.
@@ashishpatel350 With keepass you can encrypt your DB with combination of password + keyfile. Sync your DB via google drive and keep your keyfile out of it. I think even google would have problem cracking your DB without keyfile.
It all fell apart when a company names Flightsim Labs (FS Labs), a producer of overpriced flight simulator addons, smuggeled a PW sniffer into their installer. This installer demanded admin rights and was somehow able to read the Chrome passwords and possibly others, too. All of this was to combat software piracy, of course. Something this very company had done, too, btw. So the customer buys a 140 Euro software, grants admin rights because otherwise his expensive and as per EULA not refundable software won't install, and without the customers knowledge the passwords would be uploaded to the companies server. Unencrypted, if that still matters. Of course they got away with it.
Oh yeah I know these guys, they've been polling their users for over a year asking them if they want an updated version of the Concorde for P3D v4/v5.... the update costs as much as a new product, even though it's just the same plane made for a slightly newer version of the simulator. So far, no updated version of the plane has been made, likely because there wasn't enough people throwing money at their screen when reading that. I didn't know that they did this, but they seemed like scumbags to me just because of making customers pay full price for updates, as if it wasn't expensive enough
How did they get away with it? Stealing passwords is highly illegal no matter how you spin it. Even if they didn't use the passwords if they've clearly compromised the safety of their customers that's a huge lawsuit right there.
All the encryption stuff is great for computers storing information, but a person still needs to remember the plain text password required to unlock it all. For that, people write it down on a sticky note and hang it somewhere around their computer so they don't forget it.
assuming it's in your house and really no one has access to it besides you, it's not such a terrible idea. in that scenario the biggest worry would be losing whatever paper you have the password written in.
Thanks to this video I started using a password manager. I gotta admit, it feels a bit scary (at first, I hope), even though I understand that my online accounts are probably way more secure than they've ever been.
I use HMAC to deterministically generate my passwords (master + domain) every time I need them, but then I use LastPass on my phone for a few passwords for fingerprint auto-fill convinience.
Around 1:35, you missed an option, Mike: use a mental algorithm to create your passwords, so that every password is different, but you don't have to remember them all because you can re-create them on demand :) That's what I do. Every password I ever use is different, but I don't remember most of them; I just remember how to form them and do that when needed.
You can probably write a simple password manager on your own as a shell script. It's basicly just a hashtable (service as key and password as value) which can be encrypted or decrypted using GPG. If you want access to it from different devices, you can put the encrypted file in your nextcloud. There is no need for a specific service which stores passwords only. Fun fact: If we could authenticate via a GPG-key in our TLS traffic, we would not even need so many passwords in the first place.
This weekend i started a pw manager and bought a server to host a git repo. Im using pass for linux. I thought i was being re-marketed and then saw the date on the vid. It works too. pass git push/pull and boom.
I use a self-hosted Bitbucket container on my file server. If I need a password on my phone, I can VPN into my home network and get whatever I need. A few extra steps but it's not too bad. I used KeePassXC (I think that's what it's called) for a while but I wanted something multiple devices could potentially access at the same time.
??? That would mean you are sharing the data. It would be efficient to store backups of the keypass file on your own server. Then if you needed to retrieve it, then just do it. Also if you needed to backup the file. It is done.
Super awesome! I love password topics covered by your channel. Please more. Thanks!! Also: A recommendation which password manager Dr. Pound is using would be great!
Michael Hammer That would probably be a security flaw in and of itself. You probably don’t want the whole world knowing which service you use, as they may start trying the “forgot password” tool and possibly get in.
I use Veracrypt to create an encrypted file which I then store on the cloud. I feel much more comfortable knowing that I've encrypted it using 3 different algorithms.
@I And yet should the time come where one of these algorithms is broken, I'll be grateful I've encrypted it 3 times over. My volume is more than fast enough. I'm only rocking .txt files and pictures in it. It's not like I'm running a server or something.
@I A better option is using separate encrypted files. 1) Keypass file. 2) Then put it in veracrypt file. 3) Then put the file in a .7zip or zip file. Three layers. Three passwords. Multiple iterations.
I started using an online password manager after this video. Honestly, first I thought using an offline based one could be safer yet they're so annoying and tidues
For almost all users there's no real security bonus to keeping it offline, the people that really need it need to be trained how to use it right or it can be worse for them. As long as it's implemented like correctly like this video describes, don't put your passwords in excel and post to github /troll :)
That is the point. You are trying to break a behavior that is going to put you into a weaker position. Research and read the data on how passwords are commonly broken. Generally once hashes are extracted from a database. They are broken with dictionary attacks. Then brute force. Brute force often works on weaker encryption. Dictionary attacks work typically on common password patters. A program that uses both and has the power to do it reasonably fast is the danger you want to avoid. You can search RUclips, .7z files as well as .zip file hashes can be extracted. What you care about is somebody taking that hash. Which is the mushed and mixed up version of your password. Then running the aforementioned and finding match.
@@jamesedwards3923 That's why you have a strong master password for your password manager and have it create strong, unique passwords for all your sites. 1Password has the advantage of having built-in 2FA by generating a Secret Key that only the user has access to.
You forgot the fourth option. Create a password dependent on the website, for example "Google's background is white" might be a google password, and you can use that pattern with multiple sites. Rinse and repeat each site's password is different and you can remember all your passwords.
@@DanStoneUK Maybe so but if someone has a keylogger on you and you use a password manager you're also in trouble. It doesn't stop manual attacks, but it stops quick scans hackers might do over leaked password lists.
for me, the question is: how do pass managers fill the fields on the sites? JS injection, native copy/paste methods, simulating keystrokes? I don't understand that
Keepass simulates keystrokes, which has the advantage that it doesn't matter whether you are logging into a web service or using some proprietary software, such as a gaming client. AFAIK the other ones are completely different, but I haven't used them myself. At least their websites are only ever talking about filling in web forms.
I'm surprised that nothing was said about Argon2. Also, KeePass has some protective mechanisms against keyloggers: Secure Desktop, Two-Channel Auto-Type Obfuscation.
The problem I have with Argon2 is simple. Some ports of KeePass do not support it. Which is annoying. However, it is an open source project. So I do not complain. I am just making the statement.
i made my own offline password locker, it's got steganography, voice recognition and basic sha encryption on top of it! inspired by computer file videos!
The main issue I see with an online Password Managers that cost money is that they kinda pull you into a racquet, because now if you don't pay them, they have all your passwords to all your stuff, and theres no way you can possibly figure out those passwords on your own to recover your accounts if they end up jacking up the prices or changing owners to a parent company you can't trust like Microsoft.
So essentially this is just like PGP. There is a private key and a "public" one. You give the public to the password manager which then returns your vault, which then you decrypt using your private key.
Keepass FTW I use Keepass with 2 step password, one is my password and other is a local key file and keepass add-ons allows for browser autologin and also cloud storage.
Is the automatic login from google chrome or samsung phones also some sort of password manager or do they use different (less secure?!) methods and are not advisable?
How would you feel about a user utilizing a local password management program and merely saving the file on a dropbox, Google drive or similar? sort of a deflection of the concern of a big target on the back of Dashlane et al. at the expense of a little less intrinsic security
List of options by Dr. Pound 1. Write passwords down 2. use same strong password everywhere 3. use a password manager Actual options: 1. Write passwords down 2. use same strong password everywhere 3. use a password manager 4. create your own system of generating passwords for each website that doesn't need to be written down
![[#2024MAMA] G-DRAGON - 무제(Untitled, 2014)+POWER+HOME SWEET HOME+뱅뱅뱅+FANTASTIC BABY | Mnet 241123 방송](http://i.ytimg.com/vi/Ox29z5Nf1Uk/mqdefault.jpg)
this is The Lockpicking Lawyer and what i have for you today is the concept and function of the password managers.
Very funny 10/10, off to Edinburgh now!!
A little click out of 1..2...3,..., 256 aaand we got our AES-Key
Meta
Nothing on ksda34bw4t4748797sjTe.........nothing on WxB7ww3n7464se4etesimyf8e4qwq.............
*50 million years later*
Dr. Pound is one of the best presenters......his dryness is also absolutely hilarious. LOL
Ok, so WHAT WE'RE GONNA DO, right? Is this..
@@BlueZirnitra HAHAAHAH!!!! I think he's likely as awesome lecturer as well. Would love to sit in on one.
Pound that like button for Dr Mike
Swipe650 not gonna say what I was thinking. Nope. Just gonna walk away from that one.
@@abandonedmuse Pound Dr Mike's Button perhaps?
💡 Security tip: Do not store email credentials in the password vault, in case it gets cracked you still have your email secure to retrieve all of your logins...
vault*
Edit: it's been fixed :)
Not bad advice at all.
Thanks... corrected
@@BattousaiHBr or... use MFA(2FA) on your PWmanager
who in the world should hack my password-vault keepassxc? how?
Just remember people, if you get an email that seems to be from your password manager saying that you need to "verify" your account and they need your password, or if they ask you your master password for whatever reason, DO NOT send them your master password, don't click the link and report the email as a fishing email! It's a fishing attack! Your password manager should and will never ask you your master password.
If you used KeePass or Password Safe. That is not an issue now is it?
Phishing*
Indeed. Also any password manager worth anything wouldn't even know your master password due to zero knowledge so that's another red flag if receiving such an email
Personal bookmarks.
4:55. True explanation starts.
5:25. Two derivations from the password.
5:47. Master password authentication; how it's used in the grand scheme of things.
6:31. How LastPass creates a master password; appends email | master password; hashes this many times.
8:36. A main idea!
9:06. Difference between OnePass.
Would really love to see an actual programming language or any subject tutorial from Dr.Mike Pound. love the way he conveys knowledge, so easy to understand.
i’m r que le hemos
So much less stress watching these out of interest and not as part of a cramming session.
@Sassy The Sasquatch You would be surprised how many exams and tests people (including me) manage to pass (hehe) by learning from YT videos.
I maybe understand 10% of what Dr Pound is talking about but he does it with such a passion and enthusiasm that I´m still clicking on the videos when I see his face.
You can look up articles and academic sources while you are listening. It is what I do. I am not an expert either, but I made some remote effort to understand.
"Go and animate that."
1:05 Who is Kate? Is Bob cheating on Alice?!
yes
ProBob drama ensues
It's his and Alice's daughter. He loves his daughter.
@@josue_mejia ^ So he's bangin his daughter? Seems legit.
@@jmullentech this is not game of thrones
Tip of the day: always use 2FA if able. Thanks to that you can add an extra layer of security on top of your password manager.
Also turn on an app locker or app blocker on your android device. It is not encryption. It is a stop gap to hinder casual or criminal intrusion.
James Edwards And how would that differ from just using a device-wide code?
@@GRBtutorials App Lockers are typically integrated into the application. App Lockers are also associate with android antivirus software.
Note: The ones I will be referring to unless stated otherwise. Are the app 'blockers' associated with android devices via third party antivirus security programs.
It is not encryption, more of a stop gap measure.
For example, let us say I am on a train and I setup an app locker. Somebody runs off the train and snatches my phone in the process. However my phone is not locked. Most of us do not completely log out of our phones' mobile apps.
Keep in mind unless you are using an application specific locker. This just prohibits them from interacting with the application directly. The application is indeed 'open.' A decent hacker could bypass the app locker; or blocker as it should be commonly called.
This will give you time to lock and wipe the device.
Keep in mind you can find third party 'standalone' versions of this.
My personal recommendation is that is if you are out on the town. Try having two that overlap with each other say in 1 minute and 30 second intervals. It will make it much harder for a common thief to access your applications buying more time.
If they keep your phone active the phone will not lock until you get to a computer to remotely do it.
I would love to see an open-source password-manager core, and the companies use this core on their services, just like Signal does for messaging. This way we can be more confident about the implementation details of those architectures.
Bitwarden says hi
For those hailing from the future, which is unlikely given the age of the video but here's hoping.
You can use KeepassXC or any KeePass variant as a password manager without sync, then use Syncthing to sync the vault across devices.
No server needed!
What about "password321"? I bet that one's rock solid, but I can't use it now because wanting to share my brilliance has foiled me yet again.
A scammer once created a profile for something without my consent and put the password as "123456". I changed it to something really complicated that I would forget.
Don't worry, hunter2 is the best password
Dont you just hate it when that happens.
You are your own nemesis
Password321 for extra security
I use KeePass and for the most important passwords I also include a last sequence of characters which I memorise, then even if someone has access to my database they won't get the whole password.
The double blind method is efficient.
How much more tractor feed paper does the computing department have from the 1980s?
See that storeroom over there? .......
That storeroom is where we keep the list of storage locations for the paper.
Whenever I see the computerphile video finally has Mike back in, I'm always instantly clicking
You could have just said "I'm a simple man. I see Mike, I click".
@@chicoktc I'm a man of taste, I form my own answers ;)
The key (get it?) is not select a password manager which will not entrap you to a perpetual subscription to function. e.g. they keep your vault in their paid cloud service. You don't want to be caught out that either a missed payment or the company having an operational issue separate you from your password vault.
Always select a product which allows you to control where the vault is. e.g. I use 1Password but elected to use a local vault and then I use Dropbox to sync between devices. If I decide to use another cloud storage provider, I can move the vault freely.
Also, most of these products don't read each other's formats so you can easily migrate between products should one raise their prices or go out of business, forcing you to start from scratch.
Customer lock-in is evil.
Agreed on your concept of customer lock-in. Almost all password managers, however, have the capability for you to export your entire vault into a file, which can then be imported into another password manager. As a matter of fact, I don't know one that doesn't have this function, although I'm sure they exist. If they do, those are the ones I'd never use.
I try to support open source software.
Gregory Booth It may have an export function but more importantly, how can other products import the data? The database schemas are different. The devil is in the details. If you have to tweak a large number of imported entries then the “feature” isn’t really a feature.
@@lohphat The data is 'decipherable.' KeePass (depending on which version you use) allows you to export as customized .html file. Yes, I would have to 'reconstruct' the database. However it is salvageable. You should be backing up your database in different formats for logistical reasons every time you backup the file. The 321 rule of backing up still applies. Three different copies. Two different media formats. In this case types equals file types.
KeePass allows you to 'print' your password database file. Microsoft for example allows you to print to .pdf format and .xps format. You can also save screen captures of your database if you want to take the time to do it.
- Not to mention the numerous applications that allow you to export, print to, etc.
You should be saving the last few versions of keypass on a disk somewhere. So if you 'need' to port the data. You would still be able read it. It is all about redundancy.
I don't really understand this. Where would you put this vault like on your MacBook, or external hard drive? And how do you secure it there? Trying to learn, but I am new to all this.
Well, I use my password manager for most things but I'm a bit paranoid and I do have 5 passwords that I just remember: Laptop, bank, email, phone, and. of course, the password to my password manager.
(I guess phone and laptop are also practical; can't get to the password manager before I turn them on anyway!)
Same here
Not that you really need to even worry too much about the strength of your laptop or phone passwords. If someone has physical access to the device, all bets are off anyway. They don't need to ever learn your password to get access to anything locally stored on the device. Web-authenticated services (like your email) would still be safe though, I think (would have to see what is/isn't stored locally).
@@totlyepic Not *strictly* true, yes in the vast majority of cases 'if you hold the box you own the box' but things like fully encrypted drives, full secure boot / locked bootloaders, etc. mean that data can still be secured!
Plot twist: “Laptop”, “bank”, “email”, “phone”, “and. of course”, are the actual 5 passwords he’s using.
You are being logical. I do not remember my bank password, but more logical than most I have encountered.
KeePass would be the best option here. It was audited by the EUFOSSA project. No Cloud to worry about, all local. You can save it anywhere, including the cloud if you wish. If you really still want a cloud based manager for convenience, Bitwarden is the way to go. Thanks for the video!
I like to use keepass with syncthing to keep everything up to date, but you could use other foss tools like rsync or nexcloud
I have a some methods. I already do this so it's pretty safe.
Method1: Map all the English alphabets to some unicode characters that which you can remember. Basically you invent your own cipher. Then create some app/program in c++, rust which can convert any english txt file to the unicode mapping txt file. Print it on some card and keep it in your purse.
Same can be written on paper. Only you can understand it.
Method2: Put all your secret stuff in a file. Encrypt it using some program or your own custom program. Keep the program binary in private github repo. Deny all outbound connections in your machine. Keep the encrypted txt file anywhere you like, can be gmail.
It's takes some effort to protect valuable things. Don't go for easy options.
Very simple way how to vastly reduce possibility of damages when your main password leaks - when creating password for some site, let the password manager generate a strong password, save that to the password manager, but than add some static part at the end of the generated password that will be saved to the actual site but not to the password manager. The part you added will be the same for all of your saved passwords and you will have to remember it.
This way, even if your password DB leaks somehow, the passwords themselves wont work and it still keeps most of the convenience of password manager.
elukok thats very clever!!
That's a fantastic suggestion. I'm definitely going to start doing that.
Being a software developer, I really like Pass. It's open source and leverages GPG and Git -- two things I use every day anyway -- instead of reinventing the wheel.
KeePass?
No, passwordstore.org
Your email is used to reset so much stuff. If any of your passwords are unique and secure, it should be that one
I've been through a few password managers (LastPass, 1Password, KeePass, and even storing a text file in a TrueCrypt/VeraCrypt mounted container) and found KeeWeb to be the best balance of security and useability.
You say there are three methods of keeping passwords, writing down, same password, or password manager. The best solution is to create a very simply formula that you can easily remember that creates unique passwords for each website. Off the top of my head, some base password that is easy to remember + some easily repeatable function (rule) that spits out a few characters to add to the base password. A hacker would have to have 2 hacked passwords + do specific code cracking to figure out your function
Brock Elmore This is actually a smart idea.
@Computerfile: I feel that trusting larger password managers with sky storage is not about trusting the company to do the right thing. It is more about betting on who will be winning the fight when they make themselves a target, since many people will have a huge interest in gaining access to such information. They could become compromised by hackers employed by criminals, governments, or other people in power. Even while the cryptography is strong and sensible, other stuff could still happen, like modifications to the client software which would act as a trojan and not only protect the passwords as regular, but also supply them to a third party. But you are right. For everyday Joe the benefits of a non-effort password manager outweighs the small risk of putting all eggs in the same basket when the security is so strong.
If you do not trust cloud password managers. Other options then encrypt those files.
Again, there are so many options, free, paid, or open source.
+1 for KeePass mention
Will there be a followup episode on how the 'master password recovery' procedure works in those kind of solutions?
*T-Mobile Austria has left the chat
It depends. For instance, I use KeePass. If I forget my database password, I'm 100% SOL, whereas LastPass does offer recovery. I would argue that this is a security weakness, since then there are options for malicious actors to access the password DB more easily. So while I do maintain a cloud-storage backup of my password DB, it is protected by multiple passwords- the unique password to access the cloud service, and the unique password to unencrypt the password database. While a breach may be possible, it is still more secure than having a recovery alternative. And the likelihood of me forgetting the KeePass password is nonexistent, since aside from my phone unlock password it is the most frequently used password, and if I forget something I'm typing several times per day I likely have larger problems.
With google your devices are part of a sync to where they all store your data. In what way they are encrypted in storage I don't know but it is NOT based on your master password. Thus resetting the master is just a matter of creating a new cloud sync with the existing data on the device.
@@zrobotics Hi, zrobotics. I'm a new KeePass user. Where or how have you been backing up your KeePass database and private key? Do you trust backing them up to a web server or cloud storage, or have you been keeping them on offline harddrives?
I'll just say that I will never trust my passwords, password vaults or personal data with any company, individual or scheme that offers something along the lines of "master password recovery". If anything even remotely close to that is possible, it is, in security terms, a situation equivalent to storing all of your passwords in cleartext on a single server accessed by arbitrary people.
I use a password manager. But I also use/have used another system that have made me have unique, complex passwords for every service, that I remember and dont write down. I simply come up with a default complex password. Then I incorporate the service in question in some decided manner. One example could be the domain name perhaps with alternating small and big letters and some letters exchanged to numbers.
Now when you reach a site you will know your unique password for that site simply by knowing the sites domain name and your own personal rules for your password.
Choose a password manager that supports security keys like Yubikey. That way an attacker not only has to guess your master password, they also need your physical key to authenticate.
Mike Pound is the best. Love this guy.
Password1: 10 IQ
using a password manager: 100 IQ
1drowssaP: 1000 IQ
A password manager sits above all browsers that you may have stored different passwords for you.
It's also sits above all devices that you may have for example between Operating systems, PC and mobile devices.
You can use KeePass with the IOProtocolExt extension to sync it via WebDAV with various cloud providers. It even provides synchronizing if the KeePass database was updated on the server
I have it set up so whenever I open KeePass it prompts me for my password which is stored remotely on my Nextcloud server. It retrieves this password database via WebDAV. And each KeePass installation has a separate key in Nextcloud so it can download the file.
The password database file is also locally stored using Nextcloud client, but it is safer and faster and safer to write to the database via WebDAV.
Thats the beauty of Keepass. You own it completely and use it however suits your use case. I have my devices (laptops and smart phone) sync the keepass vault via a backup copy on my home DNS server over sftp, but only from within my LAN. My devices don't sync when I'm not home, but it means my database never leaves any of my hardware.
Was really happy to see a video about password managers featuring Mike Pound. 😃👌
Another option is using a long structured password with small variations. That way they are all different yet easy to remember.
Example:
Service: RUclips ---Add 1 letter---> Zpvuvcf
Base password: Something_With_"$%&!"_and_"134679"
Then you merge them:
Something_With_"Zpvuvcf",_"$%&!"_and_"134679"
So there, you have a somewhat secure password and easy to remember. You can make it longer, shorter, with more simbols or mess it a bit up. Also, as the letters seem random, you don't need to worry (too much) about someone getting the plain-text password in a data leak. Most likely no one will understand what "Zpvuvcf" means.
I wish this guy is a lecturer in my university. Dude is a genius.
If you're worried about a password manager breach, just encrypt all your passwords by hand before storing them in the password manager. Sure, it's more work than just keeping all your passwords in a handwritten book, but you also get to show off how cool you are to your friends.
"encrypt by hand" - surely you're joking
I can not tell if you are joking or not! What, that does not make sense on many levels. In case someone is seriously considering writing down their passwords in a book.
1) First off, one of the important reasons everybody recommends a password manager. Is because the software can create a completely randomized password. Encrypting by hand involves your human brain. Which for this tasks is way more inefficient.
2) Books are not bad things. I cringe to this day when I see somebody throw away a book. The problem is storage, security and convince. Software is superior.
@@jamesedwards3923 Yeah it's a joke lol. The actual secure way would be to take the generated passwords and write them in a book. You'd still have to keep the book secure, but that's usually not a problem.
@@OceanBagel you'd think so, but somebody stealing your password book from your home is more likely that somebody breaching a password manager.
really like the continuous paper for illustration. used it 30 years ago to print t-accounts. btw great series
Great insight. Password managers stop repeat passwords and show you when you add a weak password.
I love this man and i love how ambitious he is about IT things
I use KeepassXC and it's quite convenient. It can perform autotype, that's all I need. The database file itself is synchronised between my devices using owncloud.
FYI: You could use "syncthing" instead of "owncloud" and drop the php/javascript dependencies. It should run leaner on the machines.
Thanks for your recommendation, this project looks quite decent. I use owncloud for calendar and contacts as well, so I'll probably stick with that, but thanks anyway.
Yeah I heard something like "You can use KeePass at the loss of some convenience" but I didn't understand what the loss of convenience was? AutoType based on window title works great and is SURELY safer than trusting my browser / plugins to not have any security holes?
Keepass + Dropbox = done. Mobile access, family sharing - all easy and automatic.
linked with a Yubikey neo for that OTP and keyfile.
@@kmcat You may like Password Safe.
Remember one good one for your main email and have password manager for other sites. If you lose the password manager, you can easily just reset the password with your email.
As a modern, cross-platform, drop-in replacement for KeePass, I'd recommend KeePassXC.
I've found syncthing to be a reasonably good way to keep my keepass database on multiple clients.
I think KeePass is the best solution. You have control of the vault yourself and you can have two different keys for the vault - you can have a keyfile and a master password that are both required to open the vault. This means that you could sync the vault through online services, but only move keyfiles through offline methods.
Also, another thing you can do is have different vaults for different levels of passwords. For example, you could have a vault that only stores your unimportant forum logins and what not and then have a separate vault that includes more important information.
Or you could use Bitwarden and be your own cloud
Offline solution is just too inconvenient for the average users.
I have no argument, thank you sir. :) .
*Master Password* is a great password manager for those who are extra paranoid. It's free as in freedom software (so not _just_ simply open source), and it will work even if all your devices simultaneously combust or something. It _generates_ passwords based upon your master password and name. This means it's not stored on some cloud service where the NSA has full access to it, and it's not even really stored locally.
But if i remember correctly then you can't change a password, only all at once?
@@KanalMcLP
Nope. You can just increment a number associated with that site/user and you'll get a new password. To change your master password however would probably require all passwords to change.
Isn't keepass better written with way more functionality?
I have two passwords written down in a notebook, hand-encrypted (weakly, I admit, but I have to decrypt it entirely in my head when I forget one or the other of the passwords). One is for my keepass database, the other is for the cloud storage service (no I'm not telling you which one) I use for the sole purpose of backing up that database and transferring it between devices. There's a lot of other files on that cloud storage account, but they're all random data with similar filenames to the actual database. You know, for extra obfuscation.
I have a better idea. Use that code you wrote down as the second authentication.
What do I mean?
Do not commit your cloud storage to your head. It is a bad idea, because your cloud storage password can be 'compromised' any number of ways. Your keepass password, committed to memory is a lot harder. Put your keypass file in another file encrypted. Congratulates you created at least three factors of authentication.
One is your external encryption password.
Then you have your kepass password.
You also have a keyfile.
You are welcome by the way.
Always enjoy these videos. But can you talk more about account recovery keys? Or master decryption keys and how they work. A lot of these services have methods to recover your account incase you lose your master password with master keys, how do those work?
Everyone is mentioning keypass as their offline password manager of choice, but I personally am happy with (gnu) pass. I like the convenience of my gpg key being my master key and syncing across devices using git.
You can just sync the file with any number of cloud storage services. Across many devices. That is why many of us use keepass.
KEEPASS. Yes, if you are foing open source. It is one of three.
I'd be interested in his thoughts on web browser password managers. Are they similar to LastPass in terms of security?
They are definitely stored in plain text for Chrome and Firefox on Win7 and 10, at least. If you right click a password box, inspect element, and change this field: type="password" to be type="text", you will see your plain text password. Which is why I don't let browsers save my passwords.
Browsers will encrypt passwords on disk. I dont have a huge problem with them, but I just find syncing between devices easier without tying to a browser. Or maybe if I get a new device. I personally would also rather avoid Google having my passwords, simply because it also gives Google a list of sites I think are important. Just one more thing it learns about me!
@@flateartherpaintball5214 I just tried this on the latest version of Google Chrome on Win 10. All I got was a blank box (I even tried copying it in case it was unreadable and all I copied was some spaces), to make the password visible I had to click the button for it, and then use my full windows login to confirm I wanted a password to be visible.
@@flateartherpaintball5214 How the browser shows it in a form has nothing to do with how the browser stores it on disk. If it wouldn't do what you described, you could literally not use it, as it needs to in the end send it as plaintext to the server.
The built-in managers in browsers are just like any other local password manager he talked about. It's stored locally on-disk, encrypted.
We recently did a video on the risk of generating your own private keys. Thought you guys might find that topic interesting to cover in future!
Please take about the graphical passwords vs textual passwords which one is more secure and power full..... THanks wonderful job.....Keep going.....
SharpScripter The only "graphical passwords" I have heard of are basically disguised onscreen 9 or 12 key keyboards with limitations in what numbers you can enter. So really weak passwords for people who don't read so well.
Graphical Passwords?
All these Password Managers were far to complex for most of my family who didn't understand many of the features and just wanted something they could use easily. My Password Book for IOS devices was ideal and did not require any third party registration.
No disrespect at all. I am a blunt person. Again no disrespect intended.
The flaw with using built in browers password managers. Is that if the account is compromised. The passwords are compromised. That is not the same if your use a program like keepass or password safe. Even if you choose to use a 'retail' password manager. That is at least a seperate account. On a seperate service.
Also based on my personal experience, reading, observations. Your statement suggest that their passwords to their IOS accounts are garbage.
Unless their elderly. Have memory issues. Or the like. I would never recommend it to anybody.
I have known, conversed, or read about people. Whom have had their password managers hacked. Most of the time. It was due to poor 'basic' security measures. On top of that. Garbage passwords. One thing to get hacked. However I am tired people telling me. They were hacked, but the adversary did not have to put any real time or effort into it.
So what password manager does he use? That would be interesting!
A video on how masked passwords work would be awesome!
KeePass + SyncThing is the golden combination tbh
Okay. But if KeePass decide that the project is too much and server costs are too high, and shut down, I can keep using their program AND I can get all my passwords back.
A cloud service? Isn't free and is a weak link in the chain.
If you want to use KeePass across devices, employing a well-configured gdrive and Google's Backup and Sync (or another cloud service), will ensure all your devices keep their key vaults up to date.
LastPass is service as a software substitute.
If you're using google drive, what's wrong with just using google's password manager?
Keepassxc file inside encrypted file container + mega.nz cloud is a great option. The keepass file is encrypted, the file container can be encrypted with multiple layers using different methods, the cloud account is encrypted, and also free.
@@JNCressey it's Google. Most people don't trust Google or Facebook.
@@ashishpatel350 With keepass you can encrypt your DB with combination of password + keyfile. Sync your DB via google drive and keep your keyfile out of it. I think even google would have problem cracking your DB without keyfile.
It all fell apart when a company names Flightsim Labs (FS Labs), a producer of overpriced flight simulator addons, smuggeled a PW sniffer into their installer. This installer demanded admin rights and was somehow able to read the Chrome passwords and possibly others, too. All of this was to combat software piracy, of course. Something this very company had done, too, btw. So the customer buys a 140 Euro software, grants admin rights because otherwise his expensive and as per EULA not refundable software won't install, and without the customers knowledge the passwords would be uploaded to the companies server. Unencrypted, if that still matters. Of course they got away with it.
Oh yeah I know these guys, they've been polling their users for over a year asking them if they want an updated version of the Concorde for P3D v4/v5.... the update costs as much as a new product, even though it's just the same plane made for a slightly newer version of the simulator. So far, no updated version of the plane has been made, likely because there wasn't enough people throwing money at their screen when reading that.
I didn't know that they did this, but they seemed like scumbags to me just because of making customers pay full price for updates, as if it wasn't expensive enough
i've always said to people, never store passwords in browser. i'm surprised anyone still does
How did they get away with it? Stealing passwords is highly illegal no matter how you spin it. Even if they didn't use the passwords if they've clearly compromised the safety of their customers that's a huge lawsuit right there.
Second factor + master password!. I think that should had been mentioned. Tho still pretty bad if someone gets on your computer.
Y'all should do a video on the OPAQUE password authentication protocol!
All the encryption stuff is great for computers storing information, but a person still needs to remember the plain text password required to unlock it all. For that, people write it down on a sticky note and hang it somewhere around their computer so they don't forget it.
assuming it's in your house and really no one has access to it besides you, it's not such a terrible idea.
in that scenario the biggest worry would be losing whatever paper you have the password written in.
Thanks to this video I started using a password manager. I gotta admit, it feels a bit scary (at first, I hope), even though I understand that my online accounts are probably way more secure than they've ever been.
@@jamescollier3 You just added that to a bad actors password database :( .
I use HMAC to deterministically generate my passwords (master + domain) every time I need them, but then I use LastPass on my phone for a few passwords for fingerprint auto-fill convinience.
Around 1:35, you missed an option, Mike: use a mental algorithm to create your passwords, so that every password is different, but you don't have to remember them all because you can re-create them on demand :) That's what I do. Every password I ever use is different, but I don't remember most of them; I just remember how to form them and do that when needed.
You can probably write a simple password manager on your own as a shell script. It's basicly just a hashtable (service as key and password as value) which can be encrypted or decrypted using GPG. If you want access to it from different devices, you can put the encrypted file in your nextcloud. There is no need for a specific service which stores passwords only.
Fun fact: If we could authenticate via a GPG-key in our TLS traffic, we would not even need so many passwords in the first place.
Yeah. Password manager seems like a fools game.
This weekend i started a pw manager and bought a server to host a git repo. Im using pass for linux. I thought i was being re-marketed and then saw the date on the vid.
It works too. pass git push/pull and boom.
Ah but you see. I will type "password" in backwards. Nobody has thought of that yet; fullproof
I use a self-hosted Bitbucket container on my file server. If I need a password on my phone, I can VPN into my home network and get whatever I need. A few extra steps but it's not too bad. I used KeePassXC (I think that's what it's called) for a while but I wanted something multiple devices could potentially access at the same time.
??? That would mean you are sharing the data. It would be efficient to store backups of the keypass file on your own server. Then if you needed to retrieve it, then just do it. Also if you needed to backup the file. It is done.
Camera-man, get a tripod my man. Your hand must hurt af
I use keepass2 and make backups (4 different local locations on flash drives with obscure filename) EVERY TIME I edit it.
I see Dr. Pound, I know I am about to learn. I tap the like button, tap the play button, and commence learning.
I was hoping to see you do this topic, thank you :)
Mike: not "correct horse battery staple"
Me: ...damn
XKCD: Told ya..!
Love the nod
I am a simple person. I see Dr Pound, I click
BitWarden is for me one of the best password managers out there current available
how does spiderman know so much about passwords ?
That XKCD reference though
Super awesome! I love password topics covered by your channel. Please more. Thanks!!
Also: A recommendation which password manager Dr. Pound is using would be great!
Michael Hammer That would probably be a security flaw in and of itself. You probably don’t want the whole world knowing which service you use, as they may start trying the “forgot password” tool and possibly get in.
In simple terms, it is safe to use a manager... Thanks!
I use Veracrypt to create an encrypted file which I then store on the cloud. I feel much more comfortable knowing that I've encrypted it using 3 different algorithms.
@I
And why's that? It doesn't stop brute-forcing, but it does mean that if one algorithm is broken it's still secure.
@I
And yet should the time come where one of these algorithms is broken, I'll be grateful I've encrypted it 3 times over.
My volume is more than fast enough. I'm only rocking .txt files and pictures in it. It's not like I'm running a server or something.
Hmm, I would like to read the audits that disclose this. Most people are not going to have their VeraCrypt encryption open all the time.
@I A better option is using separate encrypted files.
1) Keypass file.
2) Then put it in veracrypt file.
3) Then put the file in a .7zip or zip file.
Three layers. Three passwords. Multiple iterations.
@@bobbarker7820 Correct.
I started using an online password manager after this video. Honestly, first I thought using an offline based one could be safer yet they're so annoying and tidues
For almost all users there's no real security bonus to keeping it offline, the people that really need it need to be trained how to use it right or it can be worse for them. As long as it's implemented like correctly like this video describes, don't put your passwords in excel and post to github /troll :)
That is the point. You are trying to break a behavior that is going to put you into a weaker position. Research and read the data on how passwords are commonly broken. Generally once hashes are extracted from a database. They are broken with dictionary attacks. Then brute force. Brute force often works on weaker encryption. Dictionary attacks work typically on common password patters. A program that uses both and has the power to do it reasonably fast is the danger you want to avoid.
You can search RUclips, .7z files as well as .zip file hashes can be extracted. What you care about is somebody taking that hash. Which is the mushed and mixed up version of your password. Then running the aforementioned and finding match.
@@jamesedwards3923 That's why you have a strong master password for your password manager and have it create strong, unique passwords for all your sites. 1Password has the advantage of having built-in 2FA by generating a Secret Key that only the user has access to.
KeePassXC > KeePass. Natively multiplatform and compatible with KeePass databases.
I run XC on Mac, Desktop Linux and Android, but I use plain keepass on win. I think the native .NET plays better with win.
I like using 1Password because of its history and it's secure enough for me. Most importantly, it is pretty enough.
You forgot the fourth option. Create a password dependent on the website, for example "Google's background is white" might be a google password, and you can use that pattern with multiple sites. Rinse and repeat each site's password is different and you can remember all your passwords.
@@DanStoneUK Maybe so but if someone has a keylogger on you and you use a password manager you're also in trouble. It doesn't stop manual attacks, but it stops quick scans hackers might do over leaked password lists.
for me, the question is: how do pass managers fill the fields on the sites? JS injection, native copy/paste methods, simulating keystrokes? I don't understand that
Keepass simulates keystrokes, which has the advantage that it doesn't matter whether you are logging into a web service or using some proprietary software, such as a gaming client.
AFAIK the other ones are completely different, but I haven't used them myself. At least their websites are only ever talking about filling in web forms.
I'm always looking for a single paragraph summary explanation on matters but instead always find an endless novel
I'm surprised that nothing was said about Argon2. Also, KeePass has some protective mechanisms against keyloggers: Secure Desktop, Two-Channel Auto-Type Obfuscation.
Yeah, but they only work for bad Keyloggers and are easyly breakable.
I have not read enough on Argon2, but from what little I have read. It is reasonably secure.
The problem I have with Argon2 is simple. Some ports of KeePass do not support it. Which is annoying. However, it is an open source project. So I do not complain. I am just making the statement.
i made my own offline password locker, it's got steganography, voice recognition and basic sha encryption on top of it! inspired by computer file videos!
Which version of SHA?
The main issue I see with an online Password Managers that cost money is that they kinda pull you into a racquet, because now if you don't pay them, they have all your passwords to all your stuff, and theres no way you can possibly figure out those passwords on your own to recover your accounts if they end up jacking up the prices or changing owners to a parent company you can't trust like Microsoft.
So essentially this is just like PGP. There is a private key and a "public" one. You give the public to the password manager which then returns your vault, which then you decrypt using your private key.
Thank You Dashlane ...
1:55 i love how he says "pathwöd's" (yes, it is an umlaut o)
Keepass FTW
I use Keepass with 2 step password, one is my password and other is a local key file
and keepass add-ons allows for browser autologin and also cloud storage.
Is the automatic login from google chrome or samsung phones also some sort of password manager or do they use different (less secure?!) methods and are not advisable?
How would you feel about a user utilizing a local password management program and merely saving the file on a dropbox, Google drive or similar? sort of a deflection of the concern of a big target on the back of Dashlane et al. at the expense of a little less intrinsic security
Back to passwords!! Brilliant
But would you need a password manager when you have Correct Horse Battery Staple for all your accounts?
List of options by Dr. Pound
1. Write passwords down
2. use same strong password everywhere
3. use a password manager
Actual options:
1. Write passwords down
2. use same strong password everywhere
3. use a password manager
4. create your own system of generating passwords for each website that doesn't need to be written down