Since I been on the Internet I had to setup a Book of Passwords because my web suites keep increasing the Password to a longer enter and because I had to change some more that 3 times in a year I had to lookup what I used! because I could not remember what I used! 2FA make you keep the List! so again you have to keep track of your Passwords even 2FA
OMG Shannon. Passwordless security is something my boss and i have been talking about for some time now. We can only hope that this becomes reality for all businesses in the future. Thank you for the great video. :)
I think you should investigate the SQRL system as developed by Steve Gibson at GRC. Look up the Event on the Twit TV website. I think it will completely outshine what you're suggesting here.
Bio-metrics is not a good option. If your bio-metrics are compromised you can't readily change it. Unless the tools for making an identification becomes significantly better so as not to be trivially fooled then this shouldn't really be considered. Especially not as a sole means of authentication. We've seen face ID and finger print sensors be fooled by real trivial means and advancements seem to be slow in coming. TL;DR if it can't be readily changed then it probably shouldn't be considered for password-less.
I tried one of those cards with a keyboard translation on them. The problem was I could never generate the same string of characters twice in a row using the same input string.
Passwords may suck but are easy to explain. Public key cryptography is much harder to describe. 2FA sits in the middle. So I guess all of that will lay on 1. education, 2. *open standards*, 3. robustness and user-friendlyness of the tools used and 4. no dependencies on a third party (which may fail).
What about the Yahoo accounts who've been established for years? Pack it up, move it over and wait for the next assault? Perhaps the next assault is to crack the master password. Goes on and on forever... But then, everything will settle forth.
Passhub locked and loaded! Thank you. I couldn't remember a password to save my life! Literally. I rely on managers, but I do have a master pass. Using encrypted codes rule! Thanks
Most password managers check the certificate of the website before they autofill. Still gotta trust the CA root stores, but the convenience is worth it to me.
are you suggesting that PINs (personal identification number, 404 no password in this acronym) are just another manifestation of passwords? I am sure the sponsor of this video would vehemently disagree.
PIN is a very temporary measure, which helps you to decrease the probability of abuse of your token, when it falls in the wrong hands. Of course, if a bad guy got BOTH your phone with an app AND a pin, he will be able to use it, until the owner recovers the key and thus disables the compromised device. In traditional password managers, the master password is enough to get to everything. In PassHub encryption keys have nothing to do with the pin. In this respect, WWPass PIN is similar to chip bank card PIN -- if you don't have the card, knowledge of the PIN alone doesn't let you get the money.
shannon why are you using a (twitter) password with such insane length? best case scenario twitter stores your password as salted hash and no hashfunction that I know and trust can handle the entropy required for passwords with such lengths (as far as I know many websites that accept extreme long passwords just cut them off after a certain length and just don't process the excess but even if not the hash will limit your entropy). So I would recommend since you are using a pw manager set a entropy that you trust (something up to 256bit) and generate passwords with that much entropy. Because there is no point having 512 bits of entropy if the data are for instance encrypted with AES256(only the weakest link in the "chain" needs to be broken hence max security is only dependent on the weakest link) and that can handle at best 256bits of entropy, so any password length beyond that is just wasted and sucks if you have to type them if autofill or copy/pasta is not available. so 256bit entropy is about 43 symbols (assuming you only use numbers and upper+lower case letters, 62^43 is about 2^256) which I feel is crazy overkill but should definitely be the upper bound of password length for generated passwords that most of the time get autofilled or copy/pasted and if you want to use diceware 256bit entropy comes out to 20 words, giving you (assuming you use the english wordlist with 4.2 characters on average, maximum 6) 84 character long passwords on average (abs max 120 characters). but i would recommend stop at max 128 bits of entropy (22 char (upper+lower)+numbers or diceware 10 words) because that is still overkill and if not social engineered or stolen or circumvented (against no additional length helps) absolutely unbreakable for at the very least decades of quantum computer advancements if not ever
My passwords indeed get into the thousands and soon even higher. My rule is simple. Whatever the max length is for an account or application. That is what I use. To do anything less is foolish. Unless you are trying to remember it. You are correct Ms. Morse. Longer and complicated for passwords not committed to memory is an absolute.
My Facebook password is 1000s characters. One day when I was updating my passwords. I decided to see if Facebook would allow it. Facebook did, so next time I will try a longer password. Next time I update it, I will try a much longer code. Since you are not using human memory to remember your password. You always max it out as long as the site or application allows. To do less is irrational. The longer and more complicated the hash is. The harder it is to brute force. Also mathematically less chance of hash collisions.
If my phone is lost/stolen/broken I wont be so worried about someone accessing the info, what with device sec and all, but what will I do if I can't authenticate using my device?
You're not the only tech podcaster featuring a sponsor. Money is rare, I get it. Our friends at TWiT has been doing that for quite some times (and ironically they too are sponsored by a password manager :) ). At least their editorial content is so diverse that it's not a problem most of the time. However, I'm probably not alone feeling a bit uneasy about seeing a sponsor... *AND* having *their* product being featured so proheminently. It makes this podcast looks more like an infomercial than anything else. That said, username/passwords are a necessary evil and it's not going to disappear anytime soon. Products like Passhub just like other identity/password managers are just bandaids to the underlying problem: How to authenticate people? 2FA and MFM are a way, but inconvenient and still hackable. From what I see, a QR code is just a password that is not text. Back to square one... with the same caveats as traditional passwords. As for credentials, instead of supplying something what we know (like username/password combo), I'm not sure that using something about what we are, like biometrics, is such a good idea. It makes the person uniquely identifiable everywhere, therefore so easily machine trackable. Bye-bye privacy. An example of biometrics gone bad is China... and sadly our governments aren't too far behind. Incidently, that's what ad networks like Google have thrived to track people everywhere we go on the internet, so they make extra money by charging a premium to advertisers. Imagine if they have access to our biometrics (as a result of... a login on one of Google's many services, for example). It totally eliminates guessworks. And of course, unwanted ads are a lesser evil compared to a government being able to track its citizen if they require the use of biometrics for everything. So until we find something better... Traditional username/password combos make it so easy to have as many identities as we need, and that's a *very* desirable feature for most people, and that's your targeted audience. (Granted, it's a HUGE nightmare in the corporate world with so many systems with their own dedicated username/password to remember and so many stand-alone security to manage, hence the push to scrap that and going beyond traditional LDAP security management from the Windows world in favor of a true electronic identity, so each employee accesses directly the systems he needs and no more, and that's manageable *easily* and in a *timely* fashion for both the employee and his employer... and all of this without creating unwanted security holes. That's a tall order. However, what's good for employees in the corporate world aren't necessarly good for us, individuals at home. :) ) In the meantime, if you can teach web site owners who stick to a traditional username/password combo to at _the very least_ *NOT* tie usernames to an email address and to allow *guest* logins as much as possible, that would help tremendously. That would do a lot more good than fancy logons using Passhub. :)
I get it. I do like this app and their hub site. My question is this. Is there a USB device (the size of a jumpdrive) that can be paired with MY iPhone so that I can click my access for a site and it be entered to the website through the keyboard interface? I have such a device to prevent my screensaver from activating.
I would love to hear opinions of those, who actually compared WWPass and SQRL in the real life situations (user experience, recovery, reliability, etc) Both companies provide not so easy to read and understand documentation and patents, both claiming they are the best. Being "aware of" and actually using something daily is a big difference.
If you set up email recovery would that technically make your email password a "master password"? Since if your email is compromised an attacker could just use the recovery process to recover the pass key to their own device?
I am annoyed some sites remove this option. Remember an email account is another layer of security that must be hacked in order to access the password. Secret Question Answers, are also an older be still applicable tool to recover an account. There is a financial institution that actually gives you a number of options for secondary access. 1) 2 Factor Authentication Application. 2 ) Email Code Confirmation. - Sends code that you must then enter. 3) Secret Question. 4) SMS. Guess which one of these I turned off? SMS should never be used unless you have no other choice!
This is really a great video that is geard towards another field of password security...great video Shannon, is this going to work well on Google pixel phone?
I think this option is valid, but I do not recommend it for most users. - Yes, I am the same guy that locked himself out of an encrypted file for years. Which I did eventually regain access to. To bad, but at least the data was relatively secure LOL. This method like any other depends on the threat vectors. As you know all methods of storing a database of secure information can be hacked by any number of means. The advantages of passwords is that they are malleable. Also you must be able to adapt to threats and environments. Which as a species we have been able to survive. Same thing goes with computer security. I would however recommend this for many office environments. In my office I have to have with me at least six passwords depending on the device and applications I use. Unfortunately it is prohibited for me to have a portable device enabled while working. So the paper I have to write these things down is the only way to get access to many of them. My job could use FIDO key and PIN security, but that would be a good idea so no. I would recommend this tool for someone with memory issues. Which some people have with age. Although with those people I would recommend something like password safe. There are branches of keepass that enable FIDO keys, but I use the main client. Which with extensions uses keyfiles. So Password Safe with FIDO keys. Using a passphrase with some random numbers should be secure enough for them. Or failing that, have the elderly or memory impaired people have someone they trust have shared access to their 'retail' password provider. At least stuff that is of critical but non-private nature. Like for example their financials and stuff like that. Have it hashed out by lawyers and what not. It is time consuming, but if you are going to do this both parties should be legally covered. We have all read on the news how elderly and disabled people are taken advantage of. So in summary: Office Use, perhaps. Memory impaired people. Low threat vectors. O.K. why not. Primary for priority accounts, no way.
I would feel better about your advice if this wasn’t a sponsored video. I think you should have skipped the sponsorship and given a proper overview of solutions to establish credibility.
Honestly I've been preaching security advice for over 12 years on Hak5, so if accepting a sponsorship from a security company really bothers you so much I would recommend you do your own research outside of my channel just like I did before I approved their proposal for a sponsorship.
@@ShannonMorse : True, but do you have to do a step-by-step demo of *their* product?!? That makes your podcast looks like just another infomercial. There are ways to talk about security without having to demo the products of your sponsors, I think. That's the whole point.
brute force with no wordlist will end at about 8-10 letter passwords(assuming billions of passwords per second, which is definitely not possible in any online scenario), so not sure where your confidence comes from
Passwords or Passphrases are fine. If they have a sufficient has and hight iteration count. The probability of hash collisions are reduced. Issues aarise when the site or service screws up the hash, salts, and peppers. Or what normally happens. Which is humans being lazy with passwords. All the data I have read says the average password is about 10 characters long. Most websites do not restrict you to that. Which tells me these are passwords people are trying to remember. Not just academically. In my offline life many tell me how lazy they are with passwords. Even though I post news, guides, etc. Most do not care and have thier entire lives online. This app is a band aid in human behavior.
why am I just seeing this now? thanks for the tweet :D I can't even count the amount of passwords I have. I used to have a single secure password for EVERYTHING. The day I entered my email address on haveibeenpwned.com was the day I decided to change that by changing every password and stop using just one for everything. I might give this a try tho
I just spent a day redoing my passwords. I was bad and reused too many. I am better now.
I'm so proud of you for doing that!! Did you switch to a pw manager?
Since I been on the Internet I had to setup a Book of Passwords because my web suites keep increasing the Password to a longer enter and because I had to change some more that 3 times in a year I had to lookup what I used! because I could not remember what I used! 2FA make you keep the List! so again you have to keep track of your Passwords even 2FA
Thanks Snubs. Will definitely give Passhub a go.
good points, except that wwpasshub stuff was super confusing. no idea how that's supposed to work
Great information! Thanks for educating
OMG Shannon. Passwordless security is something my boss and i have been talking about for some time now. We can only hope that this becomes reality for all businesses in the future. Thank you for the great video. :)
I think you should investigate the SQRL system as developed by Steve Gibson at GRC. Look up the Event on the Twit TV website. I think it will completely outshine what you're suggesting here.
I'll go directly to Steve's own website. I used to work at twit and will not support their network in any way.
Bio-metrics is not a good option. If your bio-metrics are compromised you can't readily change it. Unless the tools for making an identification becomes significantly better so as not to be trivially fooled then this shouldn't really be considered. Especially not as a sole means of authentication. We've seen face ID and finger print sensors be fooled by real trivial means and advancements seem to be slow in coming. TL;DR if it can't be readily changed then it probably shouldn't be considered for password-less.
I tried one of those cards with a keyboard translation on them. The problem was I could never generate the same string of characters twice in a row using the same input string.
Passwords may suck but are easy to explain. Public key cryptography is much harder to describe. 2FA sits in the middle. So I guess all of that will lay on 1. education, 2. *open standards*, 3. robustness and user-friendlyness of the tools used and 4. no dependencies on a third party (which may fail).
Multifactor is the best way to go.
What about the Yahoo accounts who've been established for years? Pack it up, move it over and wait for the next assault? Perhaps the next assault is to crack the master password. Goes on and on forever... But then, everything will settle forth.
This sounds a lot like Steve Gibson's SQRL (Secure Quick Reliable Login)... 🤔
Nice like it all shannon 🙂😊👍
Passhub locked and loaded! Thank you. I couldn't remember a password to save my life! Literally. I rely on managers, but I do have a master pass. Using encrypted codes rule! Thanks
Most password managers check the certificate of the website before they autofill. Still gotta trust the CA root stores, but the convenience is worth it to me.
Maybe I'm missing something, but if I have to enter a pin, how is that any more secure than a master password for the traditional password managers?
True. I saw that too
are you suggesting that PINs (personal identification number, 404 no password in this acronym) are just another manifestation of passwords? I am sure the sponsor of this video would vehemently disagree.
@@TheBreed010 How are they different? Each is a series of characters you have to choose and enter every time.
@@jasonheminger4844 I should have added
PIN is a very temporary measure, which helps you to decrease the probability of abuse of your token, when it falls in the wrong hands. Of course, if a bad guy got BOTH your phone with an app AND a pin, he will be able to use it, until the owner recovers the key and thus disables the compromised device. In traditional password managers, the master password is enough to get to everything. In PassHub encryption keys have nothing to do with the pin. In this respect, WWPass PIN is similar to chip bank card PIN -- if you don't have the card, knowledge of the PIN alone doesn't let you get the money.
How does this work non pc's.?
shannon why are you using a (twitter) password with such insane length? best case scenario twitter stores your password as salted hash and no hashfunction that I know and trust can handle the entropy required for passwords with such lengths (as far as I know many websites that accept extreme long passwords just cut them off after a certain length and just don't process the excess but even if not the hash will limit your entropy). So I would recommend since you are using a pw manager set a entropy that you trust (something up to 256bit) and generate passwords with that much entropy. Because there is no point having 512 bits of entropy if the data are for instance encrypted with AES256(only the weakest link in the "chain" needs to be broken hence max security is only dependent on the weakest link) and that can handle at best 256bits of entropy, so any password length beyond that is just wasted and sucks if you have to type them if autofill or copy/pasta is not available. so 256bit entropy is about 43 symbols (assuming you only use numbers and upper+lower case letters, 62^43 is about 2^256) which I feel is crazy overkill but should definitely be the upper bound of password length for generated passwords that most of the time get autofilled or copy/pasted and if you want to use diceware 256bit entropy comes out to 20 words, giving you (assuming you use the english wordlist with 4.2 characters on average, maximum 6) 84 character long passwords on average (abs max 120 characters). but i would recommend stop at max 128 bits of entropy (22 char (upper+lower)+numbers or diceware 10 words) because that is still overkill and if not social engineered or stolen or circumvented (against no additional length helps) absolutely unbreakable for at the very least decades of quantum computer advancements if not ever
I was exaggerating but also this is a really long comment. Much longer than my exaggerated password length.
My passwords indeed get into the thousands and soon even higher. My rule is simple. Whatever the max length is for an account or application. That is what I use. To do anything less is foolish. Unless you are trying to remember it.
You are correct Ms. Morse. Longer and complicated for passwords not committed to memory is an absolute.
My Facebook password is 1000s characters. One day when I was updating my passwords. I decided to see if Facebook would allow it. Facebook did, so next time I will try a longer password.
Next time I update it, I will try a much longer code.
Since you are not using human memory to remember your password. You always max it out as long as the site or application allows. To do less is irrational. The longer and more complicated the hash is. The harder it is to brute force. Also mathematically less chance of hash collisions.
If my phone is lost/stolen/broken I wont be so worried about someone accessing the info, what with device sec and all, but what will I do if I can't authenticate using my device?
You're not the only tech podcaster featuring a sponsor. Money is rare, I get it. Our friends at TWiT has been doing that for quite some times (and ironically they too are sponsored by a password manager :) ). At least their editorial content is so diverse that it's not a problem most of the time. However, I'm probably not alone feeling a bit uneasy about seeing a sponsor... *AND* having *their* product being featured so proheminently. It makes this podcast looks more like an infomercial than anything else.
That said, username/passwords are a necessary evil and it's not going to disappear anytime soon. Products like Passhub just like other identity/password managers are just bandaids to the underlying problem: How to authenticate people? 2FA and MFM are a way, but inconvenient and still hackable. From what I see, a QR code is just a password that is not text. Back to square one... with the same caveats as traditional passwords.
As for credentials, instead of supplying something what we know (like username/password combo), I'm not sure that using something about what we are, like biometrics, is such a good idea. It makes the person uniquely identifiable everywhere, therefore so easily machine trackable. Bye-bye privacy. An example of biometrics gone bad is China... and sadly our governments aren't too far behind.
Incidently, that's what ad networks like Google have thrived to track people everywhere we go on the internet, so they make extra money by charging a premium to advertisers. Imagine if they have access to our biometrics (as a result of... a login on one of Google's many services, for example). It totally eliminates guessworks. And of course, unwanted ads are a lesser evil compared to a government being able to track its citizen if they require the use of biometrics for everything. So until we find something better...
Traditional username/password combos make it so easy to have as many identities as we need, and that's a *very* desirable feature for most people, and that's your targeted audience.
(Granted, it's a HUGE nightmare in the corporate world with so many systems with their own dedicated username/password to remember and so many stand-alone security to manage, hence the push to scrap that and going beyond traditional LDAP security management from the Windows world in favor of a true electronic identity, so each employee accesses directly the systems he needs and no more, and that's manageable *easily* and in a *timely* fashion for both the employee and his employer... and all of this without creating unwanted security holes. That's a tall order. However, what's good for employees in the corporate world aren't necessarly good for us, individuals at home. :) )
In the meantime, if you can teach web site owners who stick to a traditional username/password combo to at _the very least_ *NOT* tie usernames to an email address and to allow *guest* logins as much as possible, that would help tremendously. That would do a lot more good than fancy logons using Passhub. :)
I get it. I do like this app and their hub site. My question is this. Is there a USB device (the size of a jumpdrive) that can be paired with MY iPhone so that I can click my access for a site and it be entered to the website through the keyboard interface? I have such a device to prevent my screensaver from activating.
Really nice. Too bad the self-hosted still requires subscription to a service...
Have you looked at Sqrl by GRC?
I'm so glad I'm not the only one on here aware of Sqrl
I would love to hear opinions of those, who actually compared WWPass and SQRL in the real life situations (user experience, recovery, reliability, etc) Both companies provide not so easy to read and understand documentation and patents, both claiming they are the best. Being "aware of" and actually using something daily is a big difference.
Keepass ,pwd plus key. Local pwd storage. Max pwd length. Dont log into websites through your email.
If you set up email recovery would that technically make your email password a "master password"? Since if your email is compromised an attacker could just use the recovery process to recover the pass key to their own device?
I am annoyed some sites remove this option. Remember an email account is another layer of security that must be hacked in order to access the password.
Secret Question Answers, are also an older be still applicable tool to recover an account.
There is a financial institution that actually gives you a number of options for secondary access.
1) 2 Factor Authentication Application.
2 ) Email Code Confirmation.
- Sends code that you must then enter.
3) Secret Question.
4) SMS.
Guess which one of these I turned off? SMS should never be used unless you have no other choice!
Protonmail has a zero knowledge approach. Also has the option to have no recovery option. Best email ever.
Thanks for the info shan.
Wish your channel grow more.
Keep making interesting tech contents
Biometrics are not safe, and definitely not private.
I never recommend biometrics as a single factor.
@@jamesedwards3923 2fa is better but you are still giving up privacy if whatever security links to the cloud and isnt just based inside the device.
Useless, doesn't support Safari autofill on IOS.
This is really a great video that is geard towards another field of password security...great video Shannon, is this going to work well on Google pixel phone?
Yes!! It'll work on any phone just fine :)
@@ShannonMorse ooh okay, thanks
I think this option is valid, but I do not recommend it for most users.
- Yes, I am the same guy that locked himself out of an encrypted file for years. Which I did eventually regain access to. To bad, but at least the data was relatively secure LOL.
This method like any other depends on the threat vectors.
As you know all methods of storing a database of secure information can be hacked by any number of means.
The advantages of passwords is that they are malleable. Also you must be able to adapt to threats and environments. Which as a species we have been able to survive. Same thing goes with computer security.
I would however recommend this for many office environments. In my office I have to have with me at least six passwords depending on the device and applications I use. Unfortunately it is prohibited for me to have a portable device enabled while working. So the paper I have to write these things down is the only way to get access to many of them. My job could use FIDO key and PIN security, but that would be a good idea so no.
I would recommend this tool for someone with memory issues. Which some people have with age. Although with those people I would recommend something like password safe. There are branches of keepass that enable FIDO keys, but I use the main client. Which with extensions uses keyfiles. So Password Safe with FIDO keys. Using a passphrase with some random numbers should be secure enough for them. Or failing that, have the elderly or memory impaired people have someone they trust have shared access to their 'retail' password provider. At least stuff that is of critical but non-private nature. Like for example their financials and stuff like that. Have it hashed out by lawyers and what not. It is time consuming, but if you are going to do this both parties should be legally covered. We have all read on the news how elderly and disabled people are taken advantage of.
So in summary:
Office Use, perhaps.
Memory impaired people.
Low threat vectors. O.K. why not.
Primary for priority accounts, no way.
I like it but does it work in a non internet environment
Who won the giveaway? I really need it I’m very poor and I have been looking for them for a while
I use enpassword manager.
Who won the giveaway?
Client side security will always be the single point of failure.
Client side security has a lot of threats. Nothing can be secured as long as the human brain exists.
Client side is much safer as they need physical access.
I would feel better about your advice if this wasn’t a sponsored video. I think you should have skipped the sponsorship and given a proper overview of solutions to establish credibility.
Honestly I've been preaching security advice for over 12 years on Hak5, so if accepting a sponsorship from a security company really bothers you so much I would recommend you do your own research outside of my channel just like I did before I approved their proposal for a sponsorship.
@@ShannonMorse : True, but do you have to do a step-by-step demo of *their* product?!? That makes your podcast looks like just another infomercial.
There are ways to talk about security without having to demo the products of your sponsors, I think. That's the whole point.
Too long. Show how logging in works.
sooner the better im sick of password
Passwords are a joke. Brute forcing is a thing. No wordlist necessary.
brute force with no wordlist will end at about 8-10 letter passwords(assuming billions of passwords per second, which is definitely not possible in any online scenario), so not sure where your confidence comes from
Passwords or Passphrases are fine. If they have a sufficient has and hight iteration count.
The probability of hash collisions are reduced.
Issues aarise when the site or service screws up the hash, salts, and peppers. Or what normally happens. Which is humans being lazy with passwords. All the data I have read says the average password is about 10 characters long. Most websites do not restrict you to that. Which tells me these are passwords people are trying to remember. Not just academically. In my offline life many tell me how lazy they are with passwords.
Even though I post news, guides, etc. Most do not care and have thier entire lives online.
This app is a band aid in human behavior.
why am I just seeing this now? thanks for the tweet :D
I can't even count the amount of passwords I have. I used to have a single secure password for EVERYTHING. The day I entered my email address on haveibeenpwned.com was the day I decided to change that by changing every password and stop using just one for everything. I might give this a try tho