God bless your soul. Having had multiple email addresses for years and for different purposes it was a nightmare for me to figure out a way to keep track of all my passwords, so before, I used to have similar pws to use on all of them and that led all my accounts to get hacked earlier this year and it left me paranoid ever since. Now, I don't save any passwords anywhere and don't even trust the browsers with it, so coming across your Bitwarden videos was a true blessing and it gave me a much needed sense of cyber security. THANK YOU SO MUCH!
Before Argon2id was available I had the iterations at 2 million. This took about 16 sec to decrypt on my Amazon Fire HD 10 Plus (2021). In May after I knew Bitwarden was updated across all my devices to support Argon2id. Late June I did my own digging on what these settings mean. I did not modify the settings as far as you showed. Default Argon2id was 4 sec to decrypt. After my changes to the iterations, it is about 10 sec to decrypt the vault. Thanks for describing these settings.
Nice! You were well ahead of the game before argon2id became available. The order of operations for increasing values would be memory and then iterations. Those are the two most important ones (and the ones that impact the amount of time to decrypt). If you haven't seen this, check it out for more testing. It was super helpful for me: antelle.net/argon2-browser/
I have to say, this video is absolutely awesome. The terms & methods are clearly explained AND you provide the technical terms/names I'll need to learn if I want gain a deeper understanding. You've definitely gained one more fan & sub!
While 11 months late on this video.... You can also choose a password manager that does not store your password vault on the internet. Only a couple do this. Some create an encrypted password vault on your local computer so even if a site gets hacked... that site can ONLY get the one password that was passed through the web-extention. (if your whole vault is stored in a web extension like lastpass or one-pass you risk losing your whole vault to a nefarious website.)
It doesnt matter what the algorithm is. For example lets say you have a really weak password of 1234, then the hash for 1234 will still be whatever that hash is. So entering 1234 will still unlock your vault regardless of what hashing algorithm is being used on the backend. The point is to use a strong passphrase.
A strong master password is the first and most important step. The algorithm just adds a layer of security in the event someone does try to brute force it. It's added protection against a lastpass type scenario.
Hashing isn't the only thing beeing applied... salts and multiple iterations will harden even a simple password like 1234 - of course, it wouldn't widstand a brute-force attempt.
@@1080pixelThe point is a password like 1234 is going to be on every common password list and is going to be one of the first tried in a brute force attack
the point of the video is making it harder for your vault to be cracked in case bitwarden servers are hacked and the encrypted vaults themselves are stolen, which was what happened to lastpass
You can (and should) change all your passwords stored in lastpass (then switch to something like bitwarden), but sadly, any notes will still be there for the hackers. Eventually, it WILL be cheap to crack all of the stolen collections, and your notes are theirs
+1 for changing your passwords in lastpass. Even with the notes, it will be good to go through those notes and make sure there isn't anything sensitive that needs to be changed (e.g. like security questions and things of that nature).
The encryption key is used to encrypt the vault. So if you change your master password it doesn't change the encryption key. Typically you only rotate your encryption key if you have reason to suspect it has been compromised. For most users, they won't need to rotate their encryption key.
Thank you Jason, I really love your videos, very educational. As a result of your videos, I went to Bitwarden from Keepass. And may I ask your thoughts on Proton Pass? Worth looking into?
Glad to hear that! I haven't done a full deep dive yet on Proton Pass. I typically favor companies who focus on the password manager as their primary business. So things like 1password, Bitwarden, and Dashlane.
Why would further encyrpting your master password matter? Wouldn't it be easier for the hacker to simply try to brute force your password either way? So why does it make any real difference whether you use SHA-256 or the Argon2id?
Argon2id slows down the bruteforcing process. It basically just takes longer for it to calculate whether the password is right or not, which slows down the attacker's ability to guess passwords. It's helpful in the LastPass scenario where attacks stole the vault.
Good advice. But I think with a lot of iterations with PBKDF2 there is also a delay there. Your explanation sounded like the delay would be new with Argon2id...
Great stuff man, thanks for the tip. So yeah, I been dealing with hacking for a minute. Would love to know if I could be hacked while a page is loading? I use the "copy and paste" method when inputting my username and password, which might not be the safest. So when I go back to the page I'm try to login to, could those hackers switch pages on me and have me logging in a phishing site?
The biggest risk with copying / pasting is that you could be putting it into a phishing page. With autofill or passkeys, it will detect the URL and only put the password (or passkey) in if it recognizes the URL.
My Bitwarden password is 44 characters long, and my PBKDF2 iteration count is 1 million. I set this up before Argon was available. Unlocking my vault on my cheap Onn tablet takes a few seconds or so, so I figure I have hit the sweet spot for now. I'll consider Argon in the future, though.
You've got a great set up with that combination. Argon will have some more security control against certain types of attacks, but they're not a huge concern for the majority of people.
I trade with family members. 3 members have mine incase my sister lost mine, like usual. But i placed it on her computer where she doesn’t go. The external drive i get called over to update when she needs to. Im the family it guy so they don’t know that we all have the important backup files in the classic 3 place rule.
Please don’t say uncrackable, nothing is uncrackable. Even when it takes Mathematically 200 Mio years to guess a Password there are always ways to shorten this time. Especially when you take algorithms like AES or hashing Algorithms like Sha256 or Argon2 there is always the possibility that there is a security flaw in the algorithm itself. A truly uncrackable algorithm would be the onetime pad but everything which is mathematically calculated can be cracked especially with quantum technology.
Yes, everything is going to be crackable with limitless time or the advancement of quantum computing. But for 99.9% of people, this setup will keep their vaults in a position that won't be crackable given their risk profile.
@@teachmecyber Yes that’s true, I’m cyber security you only need to run faster then your friends to not get chased. But I think it’s wrong to say that anything is uncrackable. I understand what you mean but for someone who doesn’t know a lot or anything of that, it implements that it’s really uncrackable. When you explain it like you now did it would bring the people more to the reality without underestimating the risk. But anything else is great. It would be great to see videos for advanced or more tech savvy people in the future. Keep going!
@@teachmecyber Maybe something like how to handle a digital will in a secure way (government proof) that I would still consider basic, but some IOT stuff with things like MDNS and Firewall. Or things like Ransomeware protection. All your videos are fine but what I’ve missing is that you go really deep and explain the details. It’s not a must and can be boring or not necessary for the average viewer, it would be just some input you can maybe use for orientation.
3:09 I always thought zero-knowledge encryption was just, the password was turned into a key and tested on its merits - if it successfully decrypted the vault, it must be the correct password. If it failed, then it wasn't correct. Interesting! Does that mean Bitwarden does have a database of hashes?
Here's a website you can use to test the different timings. You can also run this from your Android to test the difference and tune it to something that works best for you. antelle.net/argon2-browser/
@@teachmecyber yeah kinda weird lol , btw I have 6th gen i7 and 16gb ram on pc and my mobile got qualcomm 732G with 6gb ram so that desktop cpu should be alot better in term of power 😅
Question: If a password of mine is in one or more data breaches, but the password breach was only bcrypt hashes and my password is very secure and long, is it safe to use it on a website still?
Jason, so is my understanding correct...so whenever we create a database, our password is NEVER sent to Bitwarden, but the HASH, and if that is the case, how can Bitwarden verify our password is correct when opening the database if all they have is a copy of a "HASH" and not the Password? Thank you kindly :)
The only way to calculate the right hash is to have the right master password! It's a nice way to ensure that someone has the right password without needing the actual password.
if you use more security and if it takes long, I assume that you use the remember session? Or everytime you login to something you go, put your password, 2fa code, and wait for bitwarden to open?
This depends on the site. I prefer to login each time if the site doesn't have any additional security protections. E.g. some mail clients like Google will force a more secure login if the device is not recognized. The main risk is that if you're not using a secure MFA method like passkeys or FIDO2 hardware, you could get phished. This could steal your session token which would give the attacker access to your account. Check out my video on 2FA for more info on that style of attack.
2:05 that chart doesn't show special characters/symbols. If it had that in the chart the "strong" section wouldn't be measured in "centuries" but millions/Billions of years. At least with conventional computing power.
I think you'll appreciate this: specopssoft.com/blog/best-password-practices-to-defend-against-modern-cracking-attacks/ Not the most direct comparison as it focuses on cracking MD5 hashes for passwords, but it shows the addition of special characters and how that can support the strength of your passwords.
Thanks. How would I safely delete or discard json file which we saved before we changed settings. ? I am assuming that all passwords were saved on my laptop. I know I can just delete the file from my laptop but would it delete from online world? Lol
Imagine entering a really long master password/phrase on a mobile device when you install bitwarden or when it times out. It is a pain specially with various virtual keyboard behaviors.
After setting it up as suggested the first time(Argon2id, 500 MB, KDF 6 and 8), I was able to log back into the web safe without any problems, but the mobile keeps giving me errors: "username or password is incorrect. Try again." Does this mean that this setup is too strong for my mobile? I tried lower values, but that didn't work either, so I had to reset it to PBKDF2 SHA-256 and 600.000 KDF to be able to log in on my mobile.
@@teachmecyber Well, I figured out what the problem was, wrote to support, they replied very quickly, and it turned out that the region setting was wrong because I had chosen EU instead of US. As they wrote, it doesn't depend on the physical location, but where it was initially established. Very useful video by the way, thank you!
Ahh okay, that's makes sense. It's likely because they're not storing the vaults in both regions, so you need to make sure you're connecting to the right one. Thanks for letting me know!
I dont think the bottleneck is the encryption at this point. If your password is indeed 16+ chars with some punctuation people are not going to try and crack it. If they really wanted access they would do so by other means, like phishing or social engineering. Uncrackable sure, but impossible to get unauthorized access, no.
100% agree with you. That's why the use of a strong master password and MFA will help secure your account. These settings are useful in dealing with a LastPass scenario where the vault is stolen.
They won't know how long or complicated your password is. The weaker the password though, the easier it will be for them to have a match. They typically will start with less complex passwords because it's quicker to check.
I haven't looked deep into this, but as I understand it, the security keys are used only as a barrier to login and get to the password vault, so they don't add security to the vault encryption itself, if someone finds your password they woudln't be able to access your bitwarden account without yor security keys, but if a hacker gets into bitwarden servers and obtains your password vault (what happened to lastpass and the point of this video), the security keys don't matter
I love the tinfoil hat cats with the sound & all the little video game things you put in your videos. This is boring stuff but youre the 7th grade teacher I wish I had!
This advice is straight up wrong. You want to set parallelism to 1. Higher than 1 will make it faster to crack your vault, and will offer you no speed benefits for unlocking your vault if you are using bitwarden on desktop (which currently doesn't support multiple threads for argon).
What does "make sure it's not sitting in your system" mean in the context of the masterword? It's annoying and frustrating when you assume your audience knows what specific you are referring to like the clipboard or some other place. I don't want the back forth questioning to understand your words. I should get it from the video.
That was in reference to the password export when you are migrating to bitwarden. You don't want to have the password export sitting on your computer because someone can get your passwords in cleartext in that file.
@@sublim3princ371 as shown in the video, that backup was just to make sure you could recover your passwords if changing the encryption parameters gave you some problem and "broke" it, after everything went well, it's better to just remove the backup file (because it has all your passwords unencrypted) or, if you want to keep such a backup, store it in an encrypted backup device (or also bitwarden allows you to get an encrypted json file, instead of an unencrypted one)
@@sublim3princ371 -- You can put the JSON file in a temporary folder --- it's only needed for the import to BitWarden, so once you import your data to BitWarden, use a file destroy utility (overwrites the JSON file with zeros) to delete it right away.
God bless your soul. Having had multiple email addresses for years and for different purposes it was a nightmare for me to figure out a way to keep track of all my passwords, so before, I used to have similar pws to use on all of them and that led all my accounts to get hacked earlier this year and it left me paranoid ever since. Now, I don't save any passwords anywhere and don't even trust the browsers with it, so coming across your Bitwarden videos was a true blessing and it gave me a much needed sense of cyber security. THANK YOU SO MUCH!
Glad this was helpful for you!
Before Argon2id was available I had the iterations at 2 million. This took about 16 sec to decrypt on my Amazon Fire HD 10 Plus (2021). In May after I knew Bitwarden was updated across all my devices to support Argon2id. Late June I did my own digging on what these settings mean. I did not modify the settings as far as you showed. Default Argon2id was 4 sec to decrypt. After my changes to the iterations, it is about 10 sec to decrypt the vault. Thanks for describing these settings.
Nice! You were well ahead of the game before argon2id became available.
The order of operations for increasing values would be memory and then iterations. Those are the two most important ones (and the ones that impact the amount of time to decrypt).
If you haven't seen this, check it out for more testing. It was super helpful for me:
antelle.net/argon2-browser/
@@teachmecyber Jason, I have Agron2id with 6,128,8
Thoughts on that, strong enough? And is that stronger and harder to crack Vs PBDK..... 600000?
If you use more than 64MB of memory, iOS autofill won’t work anymore. Bitwarden updated this information.
Thanks for the info!
If you use autofill you can end sending your password to mean ole hacking guy
I have to say, this video is absolutely awesome. The terms & methods are clearly explained AND you provide the technical terms/names I'll need to learn if I want gain a deeper understanding. You've definitely gained one more fan & sub!
Explain more on bitwarden.... i am using it since 2 years and i was unaware of this... please make some detail in-depth exploration video on bitwarden
Thanks for the feedback! If I get some more requests on this, I'll make a more in depth video on how it all works behind the hood.
While 11 months late on this video.... You can also choose a password manager that does not store your password vault on the internet.
Only a couple do this. Some create an encrypted password vault on your local computer so even if a site gets hacked... that site can ONLY get the one password that was passed through the web-extention. (if your whole vault is stored in a web extension like lastpass or one-pass you risk losing your whole vault to a nefarious website.)
A nice approach, which doesn't work if you use a computer at work and want to login to a site using your private login.
@@becks0816 You can create a copy of your vault and place it on a thumb drive. setting up the work roboform to look at your thumbdrive. I do this
@@becks0816 But, if you self host your bitwarden, these problems are solved.
It doesnt matter what the algorithm is. For example lets say you have a really weak password of 1234, then the hash for 1234 will still be whatever that hash is. So entering 1234 will still unlock your vault regardless of what hashing algorithm is being used on the backend. The point is to use a strong passphrase.
A strong master password is the first and most important step. The algorithm just adds a layer of security in the event someone does try to brute force it. It's added protection against a lastpass type scenario.
Hashing isn't the only thing beeing applied... salts and multiple iterations will harden even a simple password like 1234 - of course, it wouldn't widstand a brute-force attempt.
@@1080pixelThe point is a password like 1234 is going to be on every common password list and is going to be one of the first tried in a brute force attack
@@seanmcmurphy4744 Do you know what salting does?
the point of the video is making it harder for your vault to be cracked in case bitwarden servers are hacked and the encrypted vaults themselves are stolen, which was what happened to lastpass
Excellent explanation 🙏🏼💎
Glad it was helpful!
You can (and should) change all your passwords stored in lastpass (then switch to something like bitwarden), but sadly, any notes will still be there for the hackers. Eventually, it WILL be cheap to crack all of the stolen collections, and your notes are theirs
+1 for changing your passwords in lastpass. Even with the notes, it will be good to go through those notes and make sure there isn't anything sensitive that needs to be changed (e.g. like security questions and things of that nature).
Changing the notes won't matter. The copies of the vaults that were stolen have the notes from when they were stolen last summer (2022).
I never heard before Argon2id, thanks.
You got it!
Jason, what does it mean exactly to rotate my accounts encryption keys and do you support doing that?
The encryption key is used to encrypt the vault. So if you change your master password it doesn't change the encryption key.
Typically you only rotate your encryption key if you have reason to suspect it has been compromised.
For most users, they won't need to rotate their encryption key.
@@teachmecyber Gotcha, thanks :)
Thank you Jason, I really love your videos, very educational.
As a result of your videos, I went to Bitwarden from Keepass.
And may I ask your thoughts on Proton Pass?
Worth looking into?
Glad to hear that! I haven't done a full deep dive yet on Proton Pass. I typically favor companies who focus on the password manager as their primary business. So things like 1password, Bitwarden, and Dashlane.
Why would further encyrpting your master password matter? Wouldn't it be easier for the hacker to simply try to brute force your password either way? So why does it make any real difference whether you use SHA-256 or the Argon2id?
Argon2id slows down the bruteforcing process. It basically just takes longer for it to calculate whether the password is right or not, which slows down the attacker's ability to guess passwords. It's helpful in the LastPass scenario where attacks stole the vault.
@@teachmecyberI see, thank you for the clarification!
@@teachmecyber So then really the entire purpose of this is specifically to add in that login delay time?
@@ScottElblein yes, assuming you have a good password, adding delay makes it take too long to try enough times to find the password
Good advice. But I think with a lot of iterations with PBKDF2 there is also a delay there. Your explanation sounded like the delay would be new with Argon2id...
That's correct, with more iterations on PBKDF2 there will also be a delay.
Thank You, Thank You, Thank You!!!
Thanks for watching!
Sir, can i have a full structure for Cyber security Analyst or Network Architecture.
Great stuff man, thanks for the tip. So yeah, I been dealing with hacking for a minute. Would love to know if I could be hacked while a page is loading? I use the "copy and paste" method when inputting my username and password, which might not be the safest. So when I go back to the page I'm try to login to, could those hackers switch pages on me and have me logging in a phishing site?
The biggest risk with copying / pasting is that you could be putting it into a phishing page. With autofill or passkeys, it will detect the URL and only put the password (or passkey) in if it recognizes the URL.
@@teachmecyber thanks man, just what I'd figured.
My Bitwarden password is 44 characters long, and my PBKDF2 iteration count is 1 million. I set this up before Argon was available. Unlocking my vault on my cheap Onn tablet takes a few seconds or so, so I figure I have hit the sweet spot for now. I'll consider Argon in the future, though.
You've got a great set up with that combination. Argon will have some more security control against certain types of attacks, but they're not a huge concern for the majority of people.
When backing up the Bitwarden vault, where is the safest place to store a .json file after exporting the vault?
If you're doing it as a backup, you can store it on an encrypted USB drive.
I trade with family members. 3 members have mine incase my sister lost mine, like usual. But i placed it on her computer where she doesn’t go. The external drive i get called over to update when she needs to. Im the family it guy so they don’t know that we all have the important backup files in the classic 3 place rule.
Would the next best option be a Yubikey?
With 2FA tho is this even necessary?
Is all of this still applicable today? Or did Bitwarden update itself to the point where it is no longer needed?
Can the same be done with my RoboForm??
You're likely okay!
How much is ok to put for KDF?
The current minimum recommended amount is 600,000. I would go higher if your devices support it.
What do you think about using YubiKey 5C with Bitwarden?
It's the most secure option!
That’s great! I JUST set mine up with one, along with your recommendation from this video, Argon2id. Thanks for all the info!!!!
Please don’t say uncrackable, nothing is uncrackable. Even when it takes Mathematically 200 Mio years to guess a Password there are always ways to shorten this time.
Especially when you take algorithms like AES or hashing Algorithms like Sha256 or Argon2 there is always the possibility that there is a security flaw in the algorithm itself. A truly uncrackable algorithm would be the onetime pad but everything which is mathematically calculated can be cracked especially with quantum technology.
Yes, everything is going to be crackable with limitless time or the advancement of quantum computing. But for 99.9% of people, this setup will keep their vaults in a position that won't be crackable given their risk profile.
@@teachmecyber Yes that’s true, I’m cyber security you only need to run faster then your friends to not get chased. But I think it’s wrong to say that anything is uncrackable. I understand what you mean but for someone who doesn’t know a lot or anything of that, it implements that it’s really uncrackable. When you explain it like you now did it would bring the people more to the reality without underestimating the risk. But anything else is great. It would be great to see videos for advanced or more tech savvy people in the future. Keep going!
Any advanced topics in particular you'd like to see?
@@teachmecyber Maybe something like how to handle a digital will in a secure way (government proof) that I would still consider basic, but some IOT stuff with things like MDNS and Firewall. Or things like Ransomeware protection. All your videos are fine but what I’ve missing is that you go really deep and explain the details. It’s not a must and can be boring or not necessary for the average viewer, it would be just some input you can maybe use for orientation.
Thanks for the feedback!
Is this KDF feature only available on the paid version of Bitwarden? I don't see it on my free version.
Good content 👍
Thanks! Hope it was helpful in securing your passwords!
3:09 I always thought zero-knowledge encryption was just, the password was turned into a key and tested on its merits - if it successfully decrypted the vault, it must be the correct password. If it failed, then it wasn't correct. Interesting! Does that mean Bitwarden does have a database of hashes?
Hello, can you please measure the time difference between argon2id, and the default one? Also, do you think my low-end Android could handle it?
Here's a website you can use to test the different timings. You can also run this from your Android to test the difference and tune it to something that works best for you.
antelle.net/argon2-browser/
@@teachmecyber is argon2id and argon2di the same?
Yep, same thing!
I tried the 2nd method of Argon2id ( 500mb one) and on my pc its slower than mobile , but still fine about ( 7 sec on mobile and about 12 on pc )
Wow, I would not have expected that!
@@teachmecyber yeah kinda weird lol , btw I have 6th gen i7 and 16gb ram on pc and my mobile got qualcomm 732G with 6gb ram so that desktop cpu should be alot better in term of power 😅
@@Hawk_112 not really. the qualcomm chip is lot newer and for this kind of stuff it probably is better than the dated i7.
Question: If a password of mine is in one or more data breaches, but the password breach was only bcrypt hashes and my password is very secure and long, is it safe to use it on a website still?
Jason, so is my understanding correct...so whenever we create a database, our password is NEVER sent to Bitwarden, but the HASH, and if that is the case, how can Bitwarden verify our password is correct when opening the database if all they have is a copy of a "HASH" and not the Password?
Thank you kindly :)
The only way to calculate the right hash is to have the right master password! It's a nice way to ensure that someone has the right password without needing the actual password.
What about 2FS with an authenticator app? That's what I have setup.
if you use more security and if it takes long, I assume that you use the remember session? Or everytime you login to something you go, put your password, 2fa code, and wait for bitwarden to open?
This depends on the site. I prefer to login each time if the site doesn't have any additional security protections. E.g. some mail clients like Google will force a more secure login if the device is not recognized.
The main risk is that if you're not using a secure MFA method like passkeys or FIDO2 hardware, you could get phished. This could steal your session token which would give the attacker access to your account.
Check out my video on 2FA for more info on that style of attack.
@teachmecyber
Good point about session keys.
I have Yubikeys set for all my major accounts.
2:05 that chart doesn't show special characters/symbols. If it had that in the chart the "strong" section wouldn't be measured in "centuries" but millions/Billions of years.
At least with conventional computing power.
I think you'll appreciate this: specopssoft.com/blog/best-password-practices-to-defend-against-modern-cracking-attacks/
Not the most direct comparison as it focuses on cracking MD5 hashes for passwords, but it shows the addition of special characters and how that can support the strength of your passwords.
Thanks. How would I safely delete or discard json file which we saved before we changed settings. ? I am assuming that all passwords were saved on my laptop. I know I can just delete the file from my laptop but would it delete from online world? Lol
Imagine entering a really long master password/phrase on a mobile device when you install bitwarden or when it times out. It is a pain specially with various virtual keyboard behaviors.
You can configure it to use your fingerprint and not prompt for the password
After setting it up as suggested the first time(Argon2id, 500 MB, KDF 6 and 8), I was able to log back into the web safe without any problems, but the mobile keeps giving me errors: "username or password is incorrect. Try again." Does this mean that this setup is too strong for my mobile?
I tried lower values, but that didn't work either, so I had to reset it to PBKDF2 SHA-256 and 600.000 KDF to be able to log in on my mobile.
No, it would just go super slow on mobile but wouldn't throw this type of error. Double check your master password you're typing in
@@teachmecyber Well, I figured out what the problem was, wrote to support, they replied very quickly, and it turned out that the region setting was wrong because I had chosen EU instead of US. As they wrote, it doesn't depend on the physical location, but where it was initially established. Very useful video by the way, thank you!
Ahh okay, that's makes sense. It's likely because they're not storing the vaults in both regions, so you need to make sure you're connecting to the right one. Thanks for letting me know!
I dont think the bottleneck is the encryption at this point. If your password is indeed 16+ chars with some punctuation people are not going to try and crack it. If they really wanted access they would do so by other means, like phishing or social engineering. Uncrackable sure, but impossible to get unauthorized access, no.
100% agree with you. That's why the use of a strong master password and MFA will help secure your account.
These settings are useful in dealing with a LastPass scenario where the vault is stolen.
😊
😊😊😊
How does someone trying to crack your password know how many characters long your password is and if you’re using punctuation?
They won't know how long or complicated your password is. The weaker the password though, the easier it will be for them to have a match. They typically will start with less complex passwords because it's quicker to check.
thanks
Thanks for watching!
I like to ask... I already have security keys setup on my account. Does it then matters if someone cracked my password? Am I still okay?
I haven't looked deep into this, but as I understand it, the security keys are used only as a barrier to login and get to the password vault, so they don't add security to the vault encryption itself, if someone finds your password they woudln't be able to access your bitwarden account without yor security keys, but if a hacker gets into bitwarden servers and obtains your password vault (what happened to lastpass and the point of this video), the security keys don't matter
@@robervaldo4633 I did not realize that... thank you for taking the time to explain it.
I love the tinfoil hat cats with the sound & all the little video game things you put in your videos. This is boring stuff but youre the 7th grade teacher I wish I had!
PASHWORD HASHING
This advice is straight up wrong. You want to set parallelism to 1. Higher than 1 will make it faster to crack your vault, and will offer you no speed benefits for unlocking your vault if you are using bitwarden on desktop (which currently doesn't support multiple threads for argon).
What does "make sure it's not sitting in your system" mean in the context of the masterword? It's annoying and frustrating when you assume your audience knows what specific you are referring to like the clipboard or some other place. I don't want the back forth questioning to understand your words. I should get it from the video.
That was in reference to the password export when you are migrating to bitwarden. You don't want to have the password export sitting on your computer because someone can get your passwords in cleartext in that file.
@@teachmecyberso where do you store that file?!
@@sublim3princ371 as shown in the video, that backup was just to make sure you could recover your passwords if changing the encryption parameters gave you some problem and "broke" it, after everything went well, it's better to just remove the backup file (because it has all your passwords unencrypted) or, if you want to keep such a backup, store it in an encrypted backup device (or also bitwarden allows you to get an encrypted json file, instead of an unencrypted one)
@@sublim3princ371 -- You can put the JSON file in a temporary folder --- it's only needed for the import to BitWarden, so once you import your data to BitWarden, use a file destroy utility (overwrites the JSON file with zeros) to delete it right away.
6:12 LOL Paschword Hasching Competischion
They have competitions for everything!
Algorithm.
👍
Just use defaults. No point for almost anyone to go beyond that.