think of your favorite animal, lookup its scientific name and use that as your password. Now, any time you forget your password you just have to search up your favorite animal.
@@phillipanselmo8540maybe your mpw should be a bit stronger than something that falls to a dictionary attack. Better add 123 to the end just to be safe.
But if you don't that means a parallel universe you do.... what if he's working with the pigs snitching on YOU, or what if he was the hacker all along? can't hack me if there's nothing to hack, can't break an enter if there's nothing to break, can't steal if there's nothing to steal. I'm poor, pretty sure they would offer to pay me for a new identity.
oh nice me too! i just updated to v.20.1 do u also have that weird bug where sometimes another evil version of you comes from a parallel universe to attack your family? i thought the devs patched it...shame
I loved it in Battlestar Galactica when they would make such a big deal about the fact that none of their systems were networked to each other - and the one time they did need to run a network, they treated it like the most batshit insane idea anyone could possibly have and as the most dire situation they could possibly be in. If there’s one benefit to nearly being genocided by A.I., it’s that you sure do learn to respect OpSec right quick.
Also worth adding the Ukrainian and Taiwan flag emoji to your passwords. This keeps you safe from the Russian and Chinese hackers who won't have them out of principle.
In my opinion, it's best to educate on "good enough" or "reasonable " security. The best in class security which works well for high value targets is not necessarily the most appropriate for the average citizen. Additionally, no matter how good your password practices are, you are still vulnerable to attacks on the services you use, like a credit rating agency, online tax submission, insurance services, any business or utility that stores your credit card or has direct debit capabilities. Many of these services are difficult to avoid using too. Perhaps we can teach people more about context however. Like don't keep your passwords for work in the same password manager as the one you use privately. There is also the balance between security and convenience. Being logged out automatically from your bank after 5 minutes of inactivity is good, but perhaps you would be annoyed if your social media accounts did the same. The same perhaps also with multifactor authentication. All that being said, this video does have very good points :)
@@omicronx94adding to this, ensuring it is not publicly wireless. turning off its wi-fi direct or embedded networks and preferably linking it over ethernet to your network rather than wifi is more secure. also, some printers have this “email to printer” function but obviously that goes through the internet. best bet for paranoid people is to have a vlan between the printer and the device where they can communicate but cannot access the internet. then after this step you burn your printer and send it into space aimed at the sun
My favorite password manager is the combo-locked journal that never leaves my backpack, with cryptic riddles and secrets that need to be used for translating the passwords
A) It depends on your situation a bit. Do you carry it on you? Then it could easily get stolen. Do you keep it in your house? Could still get stolen in a robbery, or abused by a family member or whoever else you live with. Most people can trust their family members, but not all. A fire-proof safe is a good idea, that will certainly be enough for 99% of people. If it is a good safe and not cheap junk. B) Writing passwords down encourages the use of shorter, easier to type passwords than a solution involving copy and paste. But depending on your personal threat model, a paper list could be a viable option.
Good points! I will say that the robbery thing is less of a threat than many think. If your little password book is non-obvious it's not going to be stolen. And in an in person robbery they'll generally be after immediate items that can be sold or used quickly.
Another thing to take in consideration is malicious browser extensions, both ones that present themselves as a password manager or connect to your password manager
@ Honestly never heard about that, I just use a private key.
11 місяців тому
It's a private key on separate card like a simcard but bigger. You can also use something like a yubikey that contains also a openpgp card. @@quidquopro1185
I like the convenience of cloud-based solutions. Tbh i dont have a problem with them if the client is open-source and I can verify that it sends and retrieves nothing that isnt encrypted locally.
thats why i use bitwarden. the client(s) and the server are open source, but they host their own publicly available instance. all my passwords are randomly generated so even bitwarden they get breached, im pretty confident the attackers won't reverse the hash
Doors can be unlocked without a the key. A dog can be killed or bribed with food. You aren't always going to have your gun on hand. what if u leave ur notebook at home when ure not there?
For me the way to remember my password is to follow a format. Yeah if one gets compromised the same format can be used to access my other accounts but I use different nicks I my password for it.
@@W4nn3furthermore if your nas supports SED, use that. makes your drives encrypted on the fly so even if the nas is physically stolen, nobody can even see what files are on it to begin with so they won’t know you’ve got a keepass database
you dawg I heard you like encryption so I put an encrypted vault in an encrypted vault so you can decrypt while you decrypt. Eh, idk. This meme has better uses.
buy a phone that supports any other version of Android, install the OS, use it. That's quite simple. Oh, and remember that Android (as much as iOS) is not secure by design. There might be some software that tries to encrypt some data, but it's hardly possible to have more privileges than the OS itself.
@@pyqio so, Android is one (if not THE most) of the most secure OSes according to some dude that works on either tails, qubes or whonix, he's done some deep dives on this on dread (could be a glownie tho). Apparently since the beginning of Android every app has been compartmentalized into an isolated VM (makes sense, I remember the whole dalvik VM fiasco) and nowadays all phones starting from Android 8 have full disk encryption Wether your manufacturer pozzed the ROM/encryption or not that's a whole different thing, but if you run AOSP there is nothing pozzed there. Also sorry for the vagueness it's been around half a year or so since I read the info, it's not fresh in my mind
Not watching but the trick is to have a password you use for everything. You’ll use that as your second half. The first half can be stored in a password keeper. This way when you autocomplete your password there’s still a bit of manual work to do to get logged in.
I just wrote my own password manager, it is really quite simple to do if you understand using simple encryption libraries (just wait until those become vulnerabilities ). It stores all passwords in an encrypted file, which you unlock with a master password, and can also encrypt each entry a second time with a different password. You can also store other files, and just plain text in this encrypted database, and you can generate new totally random new passwords when you need to change (as you should regularly do). Really is quite useful.
Keepass has most of the same features, so I say you did a good job, bravo on the storing other files part. I don't think you can do that in KeePass actually.
This video doesn't really talk about the other side: end user compatibility. A regular user does not know how IT Security works nor should they need to know. If we want those people to use password managers they need to be easy to use. This includes being able to securely sync them between devices without having to configure anything and without having to set up own server infrastructure. A keepass file on a Dropbox share is reasonably good. But it also needs to integrate with your browser (unsure if keepass supports this). And honestly, even a proprietary password manager is better than reusing the same password for every website, which a lot of people actually do.
I personally like Bitwarden because I feel its the best of both worlds. Its code is available and auditable by anyone who wishes to look at it. In that way their zero-knowledge approach can be verified. As we're learning each and every month it seems that with LastPass, sometimes zero-knowledge doesn't mean the same thing to proprietary platforms. As I obfuscate my usernames for some things too, it was very alarming to me to learn that attackers had access to all of them and explained why my bank account kept getting locked out due to password guesses despite my username being a combo of my initials and a string of random numbers.
Browser integration is not really needed for keepass if you set up autotype correctly. The approach of keepass and remote storage is amazing as a tradeoff between usability and security. I do that as well but instead of cloud storage i have it on a host on my local network accessible with a vpn.
@@banaantje0456 that works well for someone like you or me. It doesn't work well at all for someone like my mother who doesn't even have a clue what autotype is, let alone how to set it up. Also proper browser integration is great protection against phishing, because it won't let you use the password on the wrong website.
You say not using a password manager borders on insanity... but 90% of websites you need to log into are junk sites that I dont care if the "password" I use gets leaked and they get access to all the other junk sites. For the accounts that matter, I've got separate passwords for, and there really isnt that many, I could count them on my fingers.
yeah, these junk sites together can build your entire identity and give a lot of information to the hacker, so it would be easier for him to get a password for "main" accounts. @mantyy
First time I actually see in one of your videos a vuln that I have used to complete a HTB machine, specifically one called Keeper. It was so satisfying to see that and be like "oh, oh I know that one, I've already used it to hack stuff".
Very informative, thank you. I don't know why I never considered that there could potentially be a program that reads keyboard inputs. Having something like that sending info back is wild.
I remember having a discussion with the previous system admin to my current job about password managers. He was telling me how awesome this one manager was and of course it was all in the cloud. I looked at him and said someone else knows your passwords.. He laughed and said no they don't because they keep it encrypted and it uses ssl. Even tech people can convince themselves of false security when they should know better, this is why I try and self host everything. The cloud is not secure and the whole idea of keeping passwords there really boggles my mind why anyone would think that is secure...
I'm sure others use the same technique, but I've learned to type in a certain way so that I could just remember a phrase as my password for any given login and then type it quickly while the end result looks nothing like the phrase I memorize.
I haven't read the CVE thing, so I might be talking about a different thing. I think there's a scenario that it might be worse than just corrupting the DB: the attacker can change the master password and then copy the database file. This way, they can unlock the DB file later and gain access to your passwords. If they create a backup copy of the file beforehand and then restore it, one might not even be aware of this happening. A way to mitigate this would be to require the current master password when there's a request to change it, even if the DB is unlocked at that time.
A simple user defined timeout feature could mitigate the database being left open for a length of time. They can corrupt it all they want, as long as you have a couple of backups in different places.
My password manager is a book. It's much harder to gain my passwords if you can't gain them by hacking into a password manager and can only get them by physically committing theft.
@@capitolia The only passwords saved on my phone are for Discord, Brilliant and Disney+. Yes, a long time ago I had to type them in manually. My approach is to keep important things as far away from my phone as possible.
I'm a web dev and my next project is a open source, web based password manager. It's probably not going to be amazing but It my data on my software on my hardware on my network.
If you're going to use a Password Manager, it's best practice to modify the saved password by adding or removing some characters. When you need to use a password, adjust the characters as needed. This way, even if it gets leaked, the password won't work for anyone else.
dont agree at all. its way better to use your password manager's password generator. When making password i usually set the max character limit that the site allows. sadly some actually cap you at 15 char passwords.. in 2023. some sites tho i have a 99char passwords for bc why not. if site gets breached. just change the password. rinse and repeat.
@@mtk3668 Yeah but I think the OP is still saying to use that, then change some characters by a method you'll remember so that even if the password manager gets hacked then you still have another subtle layer to the real passwords in use
@@Jordan-hz1wr while that's true, I maintain a password manager for like 15 people, and have a local dns, local mail server and everything. vaultwarden makes selfhosting super simple (literally a docker container)
Mental outlaw. I know you talked about other companies that seem to do a very good job protecting passwords that you have used. I just have a question about Kaspersky password protection? Has there been any leakages you know about or data sharing? Ik its a russian company but online I can't seem to find a genuine article talking about data breaches other that redditors going dumb and scaring others using "I have heard statements than facts" in password manager. Would love an insight or video on this topic, please 🙏
I dont understand people using password manager. So to make it harder to get your passwords, you put them in an online source, and you bundle all your passwords into one single password. Makes sense?
Been using pass for a while now. It uses GPG to encrypt your passwords. Sync is done by pushing and pulling a private git repository. Redundancy is achieved by having secondary private remote repositories. My actual passwords are generated randomly most of the time, making them useless in leaks. Using MFA where I can then keeps me pretty safe.
Imho you really should recommend cloud based managers, because the people asking you will inherently be non-technical people who can't setup something like keepass themselves. Usually if they can't easily use the manager on all devices with one click setup then they will just end up using the same password for everything, and be vulnerable to data breaches. My brother, or my dad, for example aren't going to be able to setup keepass' on every device, with diferent named apps, let alone understand that the database needs to sync from somewhere like a private git repo or one-drive to stay up to date.
His point is to use an open source password manager that can be self-hosted if wanted. Using a full on paid, proprietary cloud based is just asking to have data stolen. Bitwarden is a good example of a proper good cloud based password manager.
The best method is taking a ordinary book, get a fountain pen and some UV ink (invisible ink) and writing the passwords in said book using a uv light. If anyone looks at the book it’s just a book, but when you shine A uv light on it, you can read your passwords. Hiding in plain sight.
Heres how you can be really jacked and remeber all your passwords everytime you forget a password the one push up this will make you stronger then the rock and give insane memory power makes you stronger and smarter LMAO
Nothing can ever be as secure as memorization. You can memorize any sequence of characters by simply typing them out over and over until you no longer have to look. In my experience, this can be accomplished in less than an hour
there was a password manager, I forget what name it was since I just memorize my passwords, but it used a much better approach, it takes the combination of your username, the website name, and your master password, then generates from that a unique password. this means there is no database file you can lose or have to carry with you, and you only need to remember one password. as long as the generation process is cryptographically secure, that seems by far the best to me.
Terrible ideas, both of them, that kind of deterministic system gives power to the attacker: you need to be perfect and they only need to find a single point of failure to completely compromise you
The biggest drawback of this style of password manager is that there is no good way to change your passwords. Some add an additional number you increase every time you change your password, but then you have to remember the correct number and that isn't convenient.
In my family everyone has an unhackable password manager it's called a notebook, but then it's useless without the second part that I keep encrypted on my pc in a simple cmd program I made using off the shelf crypt programs, You put in a master password, then the notebook password and you get the second part of the password
Or, hear me out, you could just not use a secondary program to store your passwords and just write them down somewhere physically? People can’t hack paper.
Depends on your threat model. If you live in a country where the security services will happily break into your home and go through your things, you're gonna want another solution. But if your home is secure and you're mainly worried about online attacks, then paper is alright. Just make sure you have an offsite backup in case of fire - might be a pain keeping that in sync. And password managers have other useful features like auto type - that allows you to enter your password in a public place without worrying about people shoulder surfing, not so easy with paper
I encrypt my passwords as pairs of riddles and answers, only write the riddle on a note, put the notes in glass bottles and put the closed bottles in the water tank of my out of order toilet. The bathroom door is closed and requires a key that you can only get by tickling the balls of a specific goat that only appears at the second night after full moon. You have to tickle the goat with a special glove that is hidden away near a tree by a river where there’s a hole in the ground where an old man of Aran goes around and around. And his mind is a beacon in the veil of the night. For a strange kind of fashion there’s a wrong and a right. So yeah pretty difficult to get to my passwords I think.
The thing with self hosting is you’re probably not smarter than a team. But you might think you are, which is worse. Having a self-hosted, open-source password manager accessible only from behind a VPN is probably good enough most of the time though.
My brain is like an enigma, good luck looking find my passwords Cant read the storage medium and doesn't need internet or a computer to hold the information
I write my important passwords in a notebook using a special alphabet I made that has letters for specific combinations of letters that don't exist in common alphabets. I can read and write it fluently so I can write passwords on sticky notes at work and it would probably take a lot of work for someone to translate, more if I used some kind of cipher
i memorized the 4 square cipher, super easy to learn. change around letters and numbers based on something that only makes sense to you: position in the alphabet, letter looks similar to another, first number is offset by 2, second by 3, whatever. you end up with a total mess that only makes sense to you.
Too bad your fancy language has to be serialized into a UTF-8 string (in best case scenario) anyway and therefore can be brute-forced like a byte-array representing said string with no awareness of the language.
My threat model is mostly me forgetting my own master password to the password manager. Everything else is a lesser threat.
think of your favorite animal, lookup its scientific name and use that as your password. Now, any time you forget your password you just have to search up your favorite animal.
@@phillipanselmo8540maybe your mpw should be a bit stronger than something that falls to a dictionary attack. Better add 123 to the end just to be safe.
Sentences work best as passwords. Easier recall, less likely on a master list, harder to brute force.
correct horse battery staple
@@eitantal726 nooooo!! Dr Mike Pound said NOT to use that one.
I reckon my notepad document can do the job
Frfr
best comment lol
@KGBMajorValeriP what if someone hits you in the head really hard tho, you need a backup just in case. This comment is sponsored by helmets
I mean have you really delved into password management until you have Veracrypted a txt document?
I just wait until the junk mail I use as a mouse pad gets a hole worn into it and then write it on that and tape it to the wall next to my pc
Can't lose your password if you never knew them 😎
@@cold_static the logic is flawless really
@@FrogsRgheyI use the same logic as a mechanic. Can't have a coolant leak if there is no coolant.
I'm a Chad forget your password ? clicker for login everytime sending proof of life everytime in a 48h+ process with their enterprise helpdesk
Ah, the old loop of resetting password everytime
Solid choice
Smart Chad move 👌
I store my passwords in quantum superposition, I either remember them or not and I don't know if I do until I need to use them 😎
Schrodinger's Jelly
But if you don't that means a parallel universe you do.... what if he's working with the pigs snitching on YOU, or what if he was the hacker all along?
can't hack me if there's nothing to hack, can't break an enter if there's nothing to break, can't steal if there's nothing to steal.
I'm poor, pretty sure they would offer to pay me for a new identity.
oh nice me too! i just updated to v.20.1 do u also have that weird bug where sometimes another evil version of you comes from a parallel universe to attack your family? i thought the devs patched it...shame
Best comment here lmao
I loved it in Battlestar Galactica when they would make such a big deal about the fact that none of their systems were networked to each other - and the one time they did need to run a network, they treated it like the most batshit insane idea anyone could possibly have and as the most dire situation they could possibly be in.
If there’s one benefit to nearly being genocided by A.I., it’s that you sure do learn to respect OpSec right quick.
Also worth adding the Ukrainian and Taiwan flag emoji to your passwords. This keeps you safe from the Russian and Chinese hackers who won't have them out of principle.
That's very comical but it might actually be true!
That sounds like some.made up soy-infused bs from reddit
...you have emoji on your keeb?
and then add Russia and China flag emoji next to 'em so Ukrainian and American hackers won't get you
@@slavic_commonwealthmight as well add a bullseye emote then cause that how you'll look to the CIA / FBI
In my opinion, it's best to educate on "good enough" or "reasonable " security. The best in class security which works well for high value targets is not necessarily the most appropriate for the average citizen. Additionally, no matter how good your password practices are, you are still vulnerable to attacks on the services you use, like a credit rating agency, online tax submission, insurance services, any business or utility that stores your credit card or has direct debit capabilities. Many of these services are difficult to avoid using too.
Perhaps we can teach people more about context however. Like don't keep your passwords for work in the same password manager as the one you use privately.
There is also the balance between security and convenience. Being logged out automatically from your bank after 5 minutes of inactivity is good, but perhaps you would be annoyed if your social media accounts did the same.
The same perhaps also with multifactor authentication.
All that being said, this video does have very good points :)
Buying physical gift cards with cash is a good way to keep your debit cards off databases
On keepass, if you have a secured printer, you can actually print out your passwords very neatly and organized if you fancy having a physical backup.
Ur printer and its software trustable?
"a secured printer" you guys are delusional. no one has hacked your printer.
@@omicronx94adding to this, ensuring it is not publicly wireless. turning off its wi-fi direct or embedded networks and preferably linking it over ethernet to your network rather than wifi is more secure. also, some printers have this “email to printer” function but obviously that goes through the internet. best bet for paranoid people is to have a vlan between the printer and the device where they can communicate but cannot access the internet. then after this step you burn your printer and send it into space aimed at the sun
@@omicronx94 you made me laugh)
@@omicronx94 some printers can store copies of printed documents by default
My favorite password manager is the combo-locked journal that never leaves my backpack, with cryptic riddles and secrets that need to be used for translating the passwords
keeping them written down on a piece of paper is more secure than many password managers, assuming you don't lose it
Yeap, my passwords NEVER end up on a digital device, ever.
That's what I'd do honestly and it haven't failed yet.
A) It depends on your situation a bit. Do you carry it on you? Then it could easily get stolen. Do you keep it in your house? Could still get stolen in a robbery, or abused by a family member or whoever else you live with. Most people can trust their family members, but not all. A fire-proof safe is a good idea, that will certainly be enough for 99% of people. If it is a good safe and not cheap junk.
B) Writing passwords down encourages the use of shorter, easier to type passwords than a solution involving copy and paste.
But depending on your personal threat model, a paper list could be a viable option.
Good points! I will say that the robbery thing is less of a threat than many think. If your little password book is non-obvious it's not going to be stolen. And in an in person robbery they'll generally be after immediate items that can be sold or used quickly.
I have hundreds passwords, whenever possible going from 30 to 50 chars long.
It is simply impractical to write it down.
jokes on you I write my passwords in my walls
I also write my passwords in your walls
@@mgord9518
So _you're_ who that second set of passwords belongs to. That scraping gets very annoying in here.
Guys someone keeps writing funny words on my snacks i need help stoping it
Another thing to take in consideration is malicious browser extensions, both ones that present themselves as a password manager or connect to your password manager
Been using pass since 2013 and do not think I will stop any day soon. Simplicity always triumph!
Which can easily add two-factor authentication by using a smartcard.
@ Honestly never heard about that, I just use a private key.
It's a private key on separate card like a simcard but bigger. You can also use something like a yubikey that contains also a openpgp card. @@quidquopro1185
what is pass?
Ah yes, the well known program "pass"
E: the standard unix password manager?
Great to see that Jason Tatum is so knowledgeable about this stuff
Dude looks & sounds like Vegan Gains 10x more than that guy.
I like the convenience of cloud-based solutions. Tbh i dont have a problem with them if the client is open-source and I can verify that it sends and retrieves nothing that isnt encrypted locally.
thats why i use bitwarden. the client(s) and the server are open source, but they host their own publicly available instance. all my passwords are randomly generated so even bitwarden they get breached, im pretty confident the attackers won't reverse the hash
Hey Mental Outlaw , do you have plans of discussing security on self hosted services ? ...
Id like to see this. I used to keep my keepass file on Google Drive then thought its probably NOT a good idea. Id much rather self host.
@@pureheroin9902why is it a bad idea?
There's a lot of self hosting channels out there. Just search hardening whatever you're self hosting
@@pureheroin9902resilio sync it to yourself, or syncthing
Same. The only thing is I dont trust myself to properly secure my system.
my exp rates go up 10% every time mental outlaw uploads.
MY LIFE IS LIKE A VIDEO GAME
Every time I see Keepass I always read it as "keep ass"
My paper notebook has 3 defenses: a locked door, a dog, and a gun. Hack that glowie.
ATF grabs the gas
Doors can be unlocked without a the key.
A dog can be killed or bribed with food.
You aren't always going to have your gun on hand.
what if u leave ur notebook at home when ure not there?
@@deleted_handle all of that would apply to a computer too... except paper can't be remotely hacked...
@@deleted_handle stash that piece of paper in a crusty sock under the bed
I actually remeber all my DIFERENT passwords as my insane brain is the safest software I know of
Based
For me the way to remember my password is to follow a format. Yeah if one gets compromised the same format can be used to access my other accounts but I use different nicks I my password for it.
bitwarden is the goat of password managers
Man I gotta say this. But when I see your face and hear voice there's just something pops up inside of my heart ❤. Love you so much.
I store my passwords on the tablets God gave Moses so I think I am good
Are the tablets encrypted? Asking for Aaron
I see you're a TempleOS fan.
I'm adding 10 commandments to my hash cracking dictionary, thank you!
@@nobodytrulyimportant comedy
based
Friendly reminder to backup your keepass files to the cloud/NAS (preferably in a encrypted 7z folder)
Can keepass read and edit the file inside the 7z? Or do you have to take it out every time
The database is already encrypted with your master password. No need to encrypt it again.
@@W4nn3furthermore if your nas supports SED, use that. makes your drives encrypted on the fly so even if the nas is physically stolen, nobody can even see what files are on it to begin with so they won’t know you’ve got a keepass database
@@W4nn3 nothing wrong with multi layer encryption, also super useful for compartmentalized databases
you dawg I heard you like encryption so I put an encrypted vault in an encrypted vault so you can decrypt while you decrypt.
Eh, idk. This meme has better uses.
Cloud based has a purpose. It's to build and update someone's dictionary db.
TRUE! it gives ammo to our enemies
A video about how to securely use your android phone or overwrite it like with tails for example etc would be handy.
buy a phone that supports any other version of Android, install the OS, use it. That's quite simple. Oh, and remember that Android (as much as iOS) is not secure by design. There might be some software that tries to encrypt some data, but it's hardly possible to have more privileges than the OS itself.
@@pyqio so, Android is one (if not THE most) of the most secure OSes according to some dude that works on either tails, qubes or whonix, he's done some deep dives on this on dread (could be a glownie tho). Apparently since the beginning of Android every app has been compartmentalized into an isolated VM (makes sense, I remember the whole dalvik VM fiasco) and nowadays all phones starting from Android 8 have full disk encryption
Wether your manufacturer pozzed the ROM/encryption or not that's a whole different thing, but if you run AOSP there is nothing pozzed there.
Also sorry for the vagueness it's been around half a year or so since I read the info, it's not fresh in my mind
This video wasn't what I expected and it's useless for my needs❤
Not watching but the trick is to have a password you use for everything. You’ll use that as your second half. The first half can be stored in a password keeper. This way when you autocomplete your password there’s still a bit of manual work to do to get logged in.
I just wrote my own password manager, it is really quite simple to do if you understand using simple encryption libraries (just wait until those become vulnerabilities ).
It stores all passwords in an encrypted file, which you unlock with a master password, and can also encrypt each entry a second time with a different password. You can also store other files, and just plain text in this encrypted database, and you can generate new totally random new passwords when you need to change (as you should regularly do). Really is quite useful.
Keepass has most of the same features, so I say you did a good job, bravo on the storing other files part. I don't think you can do that in KeePass actually.
@@adamk.7177you can store other files in keepass if I remember correctly
But did you implement any process isolation features?
Things like running in a secure desktop and with a different SID
>I just wrote my own password manager
i did it too lol, but dont use it since i fear it bugging and im not a good developer
@@adamk.7177 , I think you can, actually, at least in the android version, I recall having something like that.
This video doesn't really talk about the other side: end user compatibility. A regular user does not know how IT Security works nor should they need to know. If we want those people to use password managers they need to be easy to use. This includes being able to securely sync them between devices without having to configure anything and without having to set up own server infrastructure. A keepass file on a Dropbox share is reasonably good. But it also needs to integrate with your browser (unsure if keepass supports this).
And honestly, even a proprietary password manager is better than reusing the same password for every website, which a lot of people actually do.
I personally like Bitwarden because I feel its the best of both worlds.
Its code is available and auditable by anyone who wishes to look at it. In that way their zero-knowledge approach can be verified. As we're learning each and every month it seems that with LastPass, sometimes zero-knowledge doesn't mean the same thing to proprietary platforms.
As I obfuscate my usernames for some things too, it was very alarming to me to learn that attackers had access to all of them and explained why my bank account kept getting locked out due to password guesses despite my username being a combo of my initials and a string of random numbers.
Browser integration is not really needed for keepass if you set up autotype correctly. The approach of keepass and remote storage is amazing as a tradeoff between usability and security. I do that as well but instead of cloud storage i have it on a host on my local network accessible with a vpn.
@@banaantje0456 that works well for someone like you or me. It doesn't work well at all for someone like my mother who doesn't even have a clue what autotype is, let alone how to set it up.
Also proper browser integration is great protection against phishing, because it won't let you use the password on the wrong website.
KeepassXC has great browser integration
0:26 Flamin’ hot security
UA-cam keeps unsubscribing me from you, why, this is one of my favorite channels on youtube, youtube stahp
You say not using a password manager borders on insanity... but 90% of websites you need to log into are junk sites that I dont care if the "password" I use gets leaked and they get access to all the other junk sites. For the accounts that matter, I've got separate passwords for, and there really isnt that many, I could count them on my fingers.
yeah, these junk sites together can build your entire identity and give a lot of information to the hacker, so it would be easier for him to get a password for "main" accounts. @mantyy
First time I actually see in one of your videos a vuln that I have used to complete a HTB machine, specifically one called Keeper.
It was so satisfying to see that and be like "oh, oh I know that one, I've already used it to hack stuff".
your videos have gotten a lot better over the years! gg!
How's notepad in a veracrypt container?
I trust these hands more than the cloud
I love my password manager, aka my arduino that emulates a keyboard and typed the same password every time it’s plugged in
Very informative, thank you. I don't know why I never considered that there could potentially be a program that reads keyboard inputs. Having something like that sending info back is wild.
Text editor does wonderfully for me
Very secure (notebook on my desk requires physical access)
I’ll wait for the people warning you about burglaries, house fires or evil people disguised as friends.
I use both Bitwarden and Proton pass manager. 👍
I was wondering, what about bitwarden? Sure it's cloud, but it's FOSS
I remember having a discussion with the previous system admin to my current job about password managers. He was telling me how awesome this one manager was and of course it was all in the cloud. I looked at him and said someone else knows your passwords.. He laughed and said no they don't because they keep it encrypted and it uses ssl. Even tech people can convince themselves of false security when they should know better, this is why I try and self host everything. The cloud is not secure and the whole idea of keeping passwords there really boggles my mind why anyone would think that is secure...
Jason Donenfield? Yes, this is the same man behind Wireguard!
I'm sure others use the same technique, but I've learned to type in a certain way so that I could just remember a phrase as my password for any given login and then type it quickly while the end result looks nothing like the phrase I memorize.
I like your club penguin shirt
I haven't read the CVE thing, so I might be talking about a different thing. I think there's a scenario that it might be worse than just corrupting the DB: the attacker can change the master password and then copy the database file. This way, they can unlock the DB file later and gain access to your passwords. If they create a backup copy of the file beforehand and then restore it, one might not even be aware of this happening. A way to mitigate this would be to require the current master password when there's a request to change it, even if the DB is unlocked at that time.
A simple user defined timeout feature could mitigate the database being left open for a length of time. They can corrupt it all they want, as long as you have a couple of backups in different places.
@@BillAnt And what would be a sensible timeout that on the one hand mitigates the problem and on the other doesn't make the UX unbearable?
@@IvanToshkov- That's why I wrote "a user defined timeout". Anywhere from a minute to an hour, whatever you feel comfortable with.
I keep important passwords and keys on Casio PDA from early 90s. Was practicing air gap even before it became mainstream, it appears.
My password manager is a book. It's much harder to gain my passwords if you can't gain them by hacking into a password manager and can only get them by physically committing theft.
In my last company we were considering a cloud password manager. We decided not to. 5 Months or so after said service was hacked.
Lastpass moment
A self hosted password manager is doing the trick for me.
never thought I'd see jayson tatum telling me about password managers but here we are
Doesn't matter what password managers you use, remember to shuffle it all once in a while.
I have been using a Kingston DataTraveler USB stick and KeePass portable for about 10 years.
…and for the mobile phone?
@@capitolia The only passwords saved on my phone are for Discord, Brilliant and Disney+. Yes, a long time ago I had to type them in manually. My approach is to keep important things as far away from my phone as possible.
I use bitwarden with the anticipation that ill self host at some point.
You can roll back your database with gdrive. Did it a couple of months ago when it became corrupted
I'm a web dev and my next project is a open source, web based password manager. It's probably not going to be amazing but It my data on my software on my hardware on my network.
If you're going to use a Password Manager, it's best practice to modify the saved password by adding or removing some characters. When you need to use a password, adjust the characters as needed. This way, even if it gets leaked, the password won't work for anyone else.
So like weakly encrypting it before storing it?
dont agree at all. its way better to use your password manager's password generator. When making password i usually set the max character limit that the site allows. sadly some actually cap you at 15 char passwords.. in 2023. some sites tho i have a 99char passwords for bc why not. if site gets breached. just change the password. rinse and repeat.
@@mtk3668 Yeah but I think the OP is still saying to use that, then change some characters by a method you'll remember so that even if the password manager gets hacked then you still have another subtle layer to the real passwords in use
@@mtk3668wrong. Original post is the correct way to store passwords. Password manager has first half, your brain has second half.
I was pleasantly surprised when my local country taxes website allowed for 256 long passwords… keepass autocomplete go brrrrr
Keepass ftw
Title reminds me of, "What color is your Bugatti?"
I dont know why I ever thought you a white man in his early 40s who has been in the IT space since 2005😀. Keep up the goood work, man. love the videos
*laughs in a sticky note attached to the monitor with the passwords"
Well, you could write down your passwords and store it in a safe deposit box as a backup.
LOL! Love the Cheeto dead bolt!
Selfhosted Vaultearden, syncing only when im in the local network. Kinda works like a pseudo-sync.
I’d rather be responsible for 1 single .kdbx file than need to self host an entire backend server infrastructure.
@@Jordan-hz1wr while that's true, I maintain a password manager for like 15 people, and have a local dns, local mail server and everything. vaultwarden makes selfhosting super simple (literally a docker container)
you're not schizo enough, then. @@Jordan-hz1wr
My password manager is my brain. Good luck hacking into that
one wrench costs only five bucks
So what is the bottom line? You kept mumbling about vulnerabilities. What is the solution for the average user?
Mental outlaw. I know you talked about other companies that seem to do a very good job protecting passwords that you have used.
I just have a question about Kaspersky password protection? Has there been any leakages you know about or data sharing?
Ik its a russian company but online I can't seem to find a genuine article talking about data breaches other that redditors going dumb and scaring others using "I have heard statements than facts" in password manager.
Would love an insight or video on this topic, please 🙏
What is your opinion of the trend of moving to passkeys?
The most secure is the simple ones, remember it or put it in a physical lock on a piece of paper
I use passport, it comes with Gryphin Router. It's a block chain storage container
I dont understand people using password manager. So to make it harder to get your passwords, you put them in an online source, and you bundle all your passwords into one single password. Makes sense?
Been using pass for a while now. It uses GPG to encrypt your passwords. Sync is done by pushing and pulling a private git repository. Redundancy is achieved by having secondary private remote repositories. My actual passwords are generated randomly most of the time, making them useless in leaks. Using MFA where I can then keeps me pretty safe.
Ooh, sounds neat? Do you know if it syncs with mobile devices?
@@RonWolfHowl There's an Android app for it, called password-store.
@@RonWolfHowljust use keepassxc and sync them between devices using syncthing 😎
Imho you really should recommend cloud based managers, because the people asking you will inherently be non-technical people who can't setup something like keepass themselves. Usually if they can't easily use the manager on all devices with one click setup then they will just end up using the same password for everything, and be vulnerable to data breaches. My brother, or my dad, for example aren't going to be able to setup keepass' on every device, with diferent named apps, let alone understand that the database needs to sync from somewhere like a private git repo or one-drive to stay up to date.
His point is to use an open source password manager that can be self-hosted if wanted. Using a full on paid, proprietary cloud based is just asking to have data stolen. Bitwarden is a good example of a proper good cloud based password manager.
The best method is taking a ordinary book, get a fountain pen and some UV ink (invisible ink) and writing the passwords in said book using a uv light. If anyone looks at the book it’s just a book, but when you shine
A uv light on it, you can read your passwords. Hiding in plain sight.
That sounds like a great idea for a backup but it doesn't really sound like a proper substitute for a password manager.
I am astonished at how many people genuinely think paper is a smart option.
It is. Immune to hacking.
@@catmando268 It's not. It's immune to digital hacking, but is susceptible to many more threats.
Heres how you can be really jacked and remeber all your passwords everytime you forget a password the one push up this will make you stronger then the rock and give insane memory power makes you stronger and smarter LMAO
The virgin proprietary password manager can't even touch the Chad having no money to steal.
If you can read memory you can almost certainly log keystrokes anyway.
"Old Man Yells at Cloud"
What would you say of something like Bitwarden, which is open source, but still cloud based
It's still someone else's computer.
@@kaper-sd9qx If it's on the internet it's a target. If they turn off their PC, you lose access. You don't know them, you shouldn't trust them.
My personal favorite password manager:
The 5gb LUKS partition on my server
Nothing can ever be as secure as memorization. You can memorize any sequence of characters by simply typing them out over and over until you no longer have to look. In my experience, this can be accomplished in less than an hour
Hopefully nobody tracking all that typing, lol
Works well unless you have 180+ logins and passwords
It’s not secure in cases of coercion .
Nah, imma just write it down on paper and keep it in a locked drawer.
.......you're gonna spend an hour memorizing a password every time you sign up for something?
Bruh......
I made my own terminal based password manager with 256AES encryption that requires a specific usb to run
there was a password manager, I forget what name it was since I just memorize my passwords, but it used a much better approach, it takes the combination of your username, the website name, and your master password, then generates from that a unique password. this means there is no database file you can lose or have to carry with you, and you only need to remember one password. as long as the generation process is cryptographically secure, that seems by far the best to me.
you can program it yourself, it just hash those strings (username, website, master)
Terrible ideas, both of them, that kind of deterministic system gives power to the attacker: you need to be perfect and they only need to find a single point of failure to completely compromise you
So instead of a hacker needing to discover your master password and then read your password data, they just need to discover your master password.
@@the1necromancer and how will they do that mr genius? how will they even discover that I am using this specific password manager?
The biggest drawback of this style of password manager is that there is no good way to change your passwords. Some add an additional number you increase every time you change your password, but then you have to remember the correct number and that isn't convenient.
My password manager is the strongest-just remember it and if you forget you jave recovery options always
In my family everyone has an unhackable password manager it's called a notebook, but then it's useless without the second part that I keep encrypted on my pc in a simple cmd program I made using off the shelf crypt programs, You put in a master password, then the notebook password and you get the second part of the password
Or, hear me out, you could just not use a secondary program to store your passwords and just write them down somewhere physically? People can’t hack paper.
Ever heard of the wrench hack?
@@travelfar4230 like a computer hacker is able to interact with the real world lol
Depends on your threat model. If you live in a country where the security services will happily break into your home and go through your things, you're gonna want another solution. But if your home is secure and you're mainly worried about online attacks, then paper is alright. Just make sure you have an offsite backup in case of fire - might be a pain keeping that in sync. And password managers have other useful features like auto type - that allows you to enter your password in a public place without worrying about people shoulder surfing, not so easy with paper
And bring them everywhere you go? So that when someone sticks you up for your laptop bag - they get everything? Great idea.
@@holdenwinters68 why would you keep all your possessions in one bag
My bunch of sticky notes is my password manager 🔑
not auto updating = best feature imaginable
I have a password manager, it's a notepad. 100% offline and secure.
JT doing side quests
I encrypt my passwords as pairs of riddles and answers, only write the riddle on a note, put the notes in glass bottles and put the closed bottles in the water tank of my out of order toilet. The bathroom door is closed and requires a key that you can only get by tickling the balls of a specific goat that only appears at the second night after full moon. You have to tickle the goat with a special glove that is hidden away near a tree by a river where there’s a hole in the ground where an old man of Aran goes around and around. And his mind is a beacon in the veil of the night. For a strange kind of fashion there’s a wrong and a right. So yeah pretty difficult to get to my passwords I think.
What do you think of Bitwarden?
The thing with self hosting is you’re probably not smarter than a team. But you might think you are, which is worse. Having a self-hosted, open-source password manager accessible only from behind a VPN is probably good enough most of the time though.
If you work with like Linux Mint, it will keep your Keepass up-to-date automatically via integrated package manager ;)
Google Password Manager is cool
My brain is like an enigma, good luck looking find my passwords
Cant read the storage medium and doesn't need internet or a computer to hold the information
I write my important passwords in a notebook using a special alphabet I made that has letters for specific combinations of letters that don't exist in common alphabets. I can read and write it fluently so I can write passwords on sticky notes at work and it would probably take a lot of work for someone to translate, more if I used some kind of cipher
i memorized the 4 square cipher, super easy to learn. change around letters and numbers based on something that only makes sense to you: position in the alphabet, letter looks similar to another, first number is offset by 2, second by 3, whatever. you end up with a total mess that only makes sense to you.
Too bad your fancy language has to be serialized into a UTF-8 string (in best case scenario) anyway and therefore can be brute-forced like a byte-array representing said string with no awareness of the language.
Before i knew about password managers in early 2010s i used to write everything in a txt document and compact with password in a .rar file.
And where did you store those rar passes?another txt file?