Chapters: 00:00 Intro 00:28 Why are Password Managers Important 03:07 People Can’t Type Randomly! 04:05 Criteria for Choosing a Password Manager 05:48 Online, 3rd-Party Services 08:35 Online, Self-Managed Vault 10:16 Offline, Self-Managed Vault 11:18 Best practices: CHOOSING A MASTER PASSWORD 12:22 Best practices: SECURITY QUESTIONS 12:52 Best practices: Autofill 14:16 Best practices: BACKUPS Also, if your comment was removed, it almost surely wasn't me! Comments get removed automatically all the time and there's nothing I can do about it. I suggest you keep trying to post until it sticks! 💛
Excellent episode. Just to give a bit of background: When I want someones passwords, I install a keylogger on their system (trivial for most targets). Identifying passwords with that is relatively trivial. What I am after is the master password for their password manager of choice, be it the built-ins from Firefox, Chrome, various "Wallets" and so on. Some of those I can then just copy the encrypted database to my own VM and I have access to everything. Simplified explanation, but that's the basics. Naomi gave the ONE way I can't (easily) do that: Use 2FA, on a SEPARATE device. Use an old iPhone or Android phone that's permanently in airplane mode to run the 2FA app. Write down the 2FA tokens or print out the QR code, store them somewhere safe. Preferably IN a decent safe or lockbox, depending on your budget and security needs.
Another thing you can do to be extra secure is not actually store your full passwords in your password manager, make it "double blind" (Example: Every password has an extra PIN or phrase at the end that isn't saved in the app) As long as you know that the passwords saved in the password manager aren't complete even if it gets hacked you're full passwords won't be revealed!
A key problem I could see with this is that websites still represent a point of failure. More than likely your passwords will be discovered on a hacked database and not your password manager, and in the odds of a targeted attack, they could potentially see what you are salting with. The more websites that your passwords are leaked from, the more data that they have to determine any patterns.
Not being a techy I decided a few years ago to pare down and go old school in things like banking and bill pay. But now getting all this info makes me feel more confident that there could be a safe way to move more digitally. Thanks bonza beaut mate . Seeya
@@CommodoreGreg yeah I know English is a funny language that mixes alot of different root dialectics from surrounding countries, I guess that's why it's so hard to get it right every time. Cheers. I now understand that "pare " comes from French I think it being a term from culinary terms but I'm not 100% sure of that.
Great video. Especially because I'm looking to start using a PW manager. I really wish you had done that "next video" comparing popular managers. Thanks for the info here, however. So helpful.
Most "good" managers allow for encrypted backups and should be done once a month to an offline device such as a USB drive, SD card, or a NAS storage device in case your phone or PC takes a dump!
I remain skeptical about password managers, I understand the security issues regarding passwords, I just have concerns over the way all technology is pushing us to depend on third party algorithms to do everything for us. I saw a Snowden interview where he said we have to choose between security and privacy. There is a trend to avoid talking about this and pretend we can have both in full, then we fall into the convenience and simplicity trap where some complete stranger did all the work for us. Reality is more nuanced and complicated then can be covered in a 15 minute (or 15 hour) video it's too easy to just buy something and assume it fixes everything
Two things that might turn up. I used a password manager that could not log me into a certain website. The credentials entry screen could only be reached from the link in the home page. Worse, to be more secure (presumably from automated attacks), it would change the underlying field names so the password manager could not identify them. Only manual entry was possible. Because of that I switched to using a usb stick. Every site I use has a different password generated by lastpass or other rng based system. They are generally painful to type, so copy from usb stick file, paste into password field, all good. And then .. I started encountering sites that have paste disabled. I'm sure the developers of those sites meant well but they did it wrong. One more. My usb stick is always with me, so a good thing. But. There is no usb slot for a standard usb plug on my phone. There is no ideal solution. Tradeoffs required, as always.
Awesome stuff! I would be interested in more password manager content for sure. My threat model isn't very high, so on Linux I still use an encrypted document and manually copy and paste, and I randomly generate long passwords with 'pwgen -s'. Then my clipboard is set to single-entry history and automatically flushes as soon as I close the password document. On Windows, I just use a browser file manager with primary password. I already consider everything on my Window's drive as being spied on, so I don't have much drive to do more to it. Password managers have always been something I've wanted to get into, but it was always hard to choose which one. So I am looking forward to your completing the password manager ark of this channel! Cheers Cx
My passwords tend to be based on words on whatever song or video I happen to be listening to when I need a password, or words (but NOT proper nouns) on random pages of a nearby book. I have to write them down immediately or I won't remember them. Makes it a bit harder to use social engineering because I definitely don't base them on stuff you could learn from social media or even an extensive chat with me. Even I don't remember most of them.
The service doesn't have to go out of business. How do you access the cloud when some drunk hits a pole and knocks out internet for a week? It's happened in my area. I dislike cloud services both because it means my data is in someone else's computer and because crappy internet means I often can't access it.
If you can, use a different email address (or username) for each site. That greatly reduces your attack surface because the bad guys then can't easily link breached accounts together.
I decided to dump password managers and hide my passwords in plain site. It's embedded in a common windows icon in the system directory amongst a 1000 other icons. I highlight the necessary text inside the icon - covert it to base64 - then Ascii to hex...and that's it. No password needed. Also, Bot scanners would simply skip over the jumbled text, incase they were looking for keywords like 'account' , 'login' or 'passw'. I made an png avatar for my profile on a forum website. I applied the same technique. It's been there for 7 months already without being discovered. My passwords are literally in plain site on the internet, without encryption. I only have to remember the 4 sequential steps to uncover them. Although I did have to search for a site that didn't remove exif data from png files on upload. So that worked for me.
i dont really see the point in a dedicated piece of software as a password manager tbh, dont see why an encrypted text file doesnt achieve the same thing. i just have a veracrypt container for mine but because i use triple cascaded encryption (i think mine is aes-twofish-blowfish but i havent really had a reason to check it since i set it up) i cant actually decrypt it from my phone unless i pay for the (closed source) full version of EDS, so i have a second text file that gets encrypted with some pgp app i forgot the name of, and just manually sync them when i get the chance, not rly the most techy solution but it works for me. also i dont have some of the more sensitive passwords on there in case my phone gets pwned
@@doooofus I've wondered that for a while, to the point that i question, is it possible an encrypted txt file could even be slightly MORE secure than say KeePassXC(which is great in its own right)?
@@Note10plusAura @doofus When you have 100s of websites, an encrypted text file can be a bit of pain to search and copy paste (esp on mobile). Also if you want to keep that synced is more involved.
Good advice, as always. BTW, I've always liked the two retro-future items you have behind you, the rocket ship to the left (from my view) and the TV (?) Radio (?) to your right. They both look familiar but I can't place them. What can you tell me about them?
I use a password manager and diceware passphrases with one inserted random symbol or capital character. Make a two dice matrix, six columns horizontal and six rows vertical. Fill the matrix with special symbols and capital letters and roll two dice to select which symbol or capital character to use (first horizontal, then vertical). Then roll a dice again to select which word in order the extra symbol should be inserted in (1-2= first word, 3-4 second word, etc.). Then roll one dice once more to decide which place in the word to put the extra symbol (1-2=second place,3-4=thirdplace, etc.). You have now broken up one random word in the passphrase with a random symbol or capital letter. Your passphrase is now better protected from a dictionary attack because one word in your passphrase does not exist in any word list or dictionary so your passphrase must be brute-forced and that is hard to do when the character-set is above 16 characters (ideally 20+ characters). That is one way to do it, do your own variation of it. :) ps. I have no idea how it affects the bit-strength, but I suspect it will make it some what higher.
@@NaomiBrockwellTV It is fun and exiting rolling dice and write down unique diceware passphrases decided by the universe that only you know about. :) I use them as master passwords and PC and mobile device logins. I use a password manager for everything else (web-accounts and other stuff). Passwords and passphrases are supposed to be hard, they are locks to your front door. A key hanging on a hook outside beside the lock is convenient when you come home, but convenient defeats the purpose of a lock. A lock is supposed to be hard, otherwise everybody can get passed it. That is my humble opinion anyway. Thanks for all great content you provide! :)
So many ways to be hacked, and so many different types of equipment. Which is more secure, computer or smartphone? Which operating system most secure, windows, Mac, Linux? What’s the most secure way of safeguarding your passwords which need to be changed on an irregular basis. This list is so huge that you need a memory manager to keep track of it all. Naomi, you need to create an ai of you, to guide and remind us dummies on equipment and staying secure on the internet. I no longer need a siri, I need a naomi for my online computing.
How I handle passwords: 1. Create a Truecrypt container (use Truecrypt v7.1a) 2. Create a spreadsheet in the container. 3. Save links, login names, and passwords in the spreadsheet. 4. You can save other sensitive files in the container as desired. When I want to log into my bank, I open the container which then becomes a new drive letter. I open the spreadsheet, copy the password, and then click on the link. It takes me to the login page where I then paste the password. Since I'm not trying to remember passwords I can use really cryptic ones. The only password I need to remember is the one to open the container. The only real drawback is that it's just a little cumbersome. But it's super secure. No one will ever suspect that the file is really an encrypted container, it looks like a random file. And even if someone tried, they won't be able to hack into it. Whenever I backup my computer, the file is backed up too. Lastly, I NEVER use my cell phone to log into sensitive websites. It's just not worth the security risk. I only do my banking from my home PC. I don't trust the online password managers. I won't do that.
Thoughts on adding the same word or number to the end of every password without storing it in the online manager? On the one hand, if your manager is ever compromised, they won't have the full password for any of your accounts and hopefully you can recover in time. On the other, if any service is compromised, that "pepper" (as opposed to salt, I believe) phrase is now known and could make it easier to compromise other services' password hashes. But it feels like they'd have to compromise 2+ accounts and care enough to make the connection. Unless you're being specifically targeted, it seems like this is a non-issue.
Hi Nayomi Thanks for this video. It is very helpful for us. How about browser password managers? I'm sure there is a privacy problems on them but is it safe to use password manager of community based web browsers such as FIrefox?
The worst problem in my opinion is even in incognito mode your user name is still auto filled. So a long random conglomeration stored in my brain is the most secure.
Doubt : on using keepassx or other offline.. one have to copy password and paste manually in the password textbox in a website.. but doesn't this make the password available on clipboard?
Use the browser extension, which doesn't rely on the clipboard. But in general, you shouldn't worry primarily about the fact that malicious applications on your system could read the clipboard contents. Instead, worry about not having such applications on your system in the first place.
I used Proton Password. On my email account with Proton. It locked me out of all my emails in Proton. It says to unlock my emails use my last password. How can I when Proton Password Manager changed my password? What crap. I am afraid to use any password manager. Traumatized
More password content please! Particularly, 2FA and security questions. Some password managers now serve as 2FA apps, is this secure/unsecure? Also, 2FA apps now sync across devices. How secure/unsecure is this? Are there 2FA apps that require a master password? How to protect against SIM-spoofing and do I need to be worried? Are texted 2FAs or App-based better? ‘Cause I only use an app to keep the codes out of my Messages. Would it be better to use a Google Voice number for 2FA codes vs the number associated with your SIM-card?
If your passwords and 2fa are stored in the same system, it’s no longer 2fa, it’s a single point of failure. I would recommend not using the same tool for your 2fa as your passwords.
URL autofill filtering isn’t helpful as many websites change the URL of the login page overtime, particularly if the page has been updated, keeping the old URL separate for easing downgrading if there is an issue. Or they have several different login URLs depending on which part of the service you’re using; for example Amazon, Prime Video, etc. Since this autofill filtering is broken by authentic services - people become complacent in copy-pasting login credentials, or worse, altering the URL in the password manager to be a higher level, allowing for some phishing URLs to go undetected
What if you have a keylogger on your device that you don’t know about Then you download a password manager Then you set it up with a master password, and start generating passwords Now the hacker has access to everything
@@NaomiBrockwellTV oh alright, thanks! I thought it was already released and I somehow missed it, I also know TH-cam sometimes blocks and hides some specific videos for me because they're unavailable in my country
0:40 Isn’t it not a big deal if what’s leaked is hashed? My impression was that it’s not like it can be reverse engineered, so someone knowing the hashed version of your password is basically useless. Am I wrong?
The attackers can use a password cracker, but if the website uses salted hashes, then the attackers can only crack one password at a time and that would take forever. So, I'd say you're not wrong.
A few things: 1) many passwords are not salted, which makes them easily crackable. Many places even keep a list of common passwords in all kinds of hashed forms so they can recognize when the same version is used. 2) some passwords are weakly salted and also easy to crack. If a password is secured correctly then this should help protect you. Unfortunately this isn’t always the case.
In addition to what hammer86 and Naomi said: If your password is too short, no hash will prevent it from being brute-forced. Some people even just rent cloud computing time to do this, which greatly accelerates the process. Or use a botnet, same principle.
Hello, help me understand; if I use a password manager (NordPass) on my PC, and I allow the use of the long, complex) on my PC. Now I visit the site on my iPhone, will I need NordPass on my iPhone, and will they sync? Will it sync on my iPad? Is that how Password Manager works?
Brave password manager is offline on your devices i think... it syncs via its own chain across your devicss no need to create a google account unlike google it saves and only accesible online
In The setup If the master channel is located in the top, next to the counter, then no - IT stays witNice tutorialn acceptable limits, when I play so of
I use only one random number password, about 9 digits I have used all my life and a 4 digit pin i have never changed. Never have I been hacked. It took about two weeks to memorize my password, and you can't ever hack a random number password. If you already have a good password, you need no other. Never use a password that is worded. When banks ask for security question, answer it correctly so you dont forget, just spell it different. Mine I use to like, to question the name of my first pet is "Kats"
I just write all of my passwords on a piece of paper. I also have it on a jump drive that I keep in a secure place. If you use a pw manager, and it gets hacked, you are screwed.
Genuinely Curious.. "6 random words - 77bits protects against every ExcepT the NSA"? Then why do all the entropy spreadsheets say for example: the 6 word passphrase would take around 96 years to crack and thats with the power of 1 Hundred Trillion brute force guesses Per Second?
That's all fine and well. Unless, you are a senior citizen! Seniors dred even getting near a computer, and everything needs a user name, password and secondary verification to boot.
'Most people default to really bad password habits' Because we're being forced to due to really bad password policies, forcing users to use upper and lower case, numbers, special characers, sacrifice a virgin and use an extra key forced by elves in the moonlight, while at the same time capping the max length for some weird reason. I could use a sentence of hundreds of characters(say, from a book I love) as a password and it'll still be safer & harder to crack than an unmemorizable password of 18-24 characters.
Adding those elements make the password harder to brute force. How are you going to remember 100s of different unique sentences for each of your different accounts?
@@NaomiBrockwellTV He's not completely wrong. Humans CAN remember words far better than random junk. The math is roughly like this - depending on keyboard you can type just under 100 different characters "easily". Most native speakers know about 40k words but can and will remember unfamiliar words as long as they're not too oddly spelled. Using combination probability n!/(r!*(n-r)!) gives us: ~1.3e18 for 16 random characters out of 100 characters. ~8.5e20 for 5 words. (presuming all same case) ~1.0e15 for 4 words. (presuming all same case) Considering that the average length of a word in English is 6 characters, you end up with a password length of 30 for a 5-word password. Add capitalization and you basically are more secure than random characters, while at the same time being able to remember passwords pretty easily - unless you have memorization issues, which is a valid concern. This only applies for using RANDOM words from your native language, not words from a book.
Been using KeePass, but no idea what this 'XC' variant is. Some companies on the internet are a pain, in that they outsource advertising/promoting etc., which quite often results in you getting communications from that company with odd addresses, making verifying them a pain in the .....
@@glowingone1774 I don't think it's really a fork, more of a port afaik. KeePassXC is written in C++ compared to Keepass' C# and is therefore more cross platform compatible.
If someone has there banking password in a password manager they may want to look into whether their bank will cover them against fraud if it gets used illegally. I suspect not.
Simple stay off line unless you buy groceries or do banking don't install twitter Facebook or other social media on your mobile device I use a 32 character password and I copy paste it from an encrypted file
90%+ of people should just use an online PW manager service. You want something that frees up your time and attention, not something that's an added burden to deal with.
I don't feel 100% safe after all, knowing that all my passwords are in 1 (currently) smart tool. I'd have to do some research every week to see if it's still safe.
Naomi is the reason for happiness whenever she uploads.
💛
Always delightful!
Chapters:
00:00 Intro
00:28 Why are Password Managers Important
03:07 People Can’t Type Randomly!
04:05 Criteria for Choosing a Password Manager
05:48 Online, 3rd-Party Services
08:35 Online, Self-Managed Vault
10:16 Offline, Self-Managed Vault
11:18 Best practices: CHOOSING A MASTER PASSWORD
12:22 Best practices: SECURITY QUESTIONS
12:52 Best practices: Autofill
14:16 Best practices: BACKUPS
Also, if your comment was removed, it almost surely wasn't me! Comments get removed automatically all the time and there's nothing I can do about it. I suggest you keep trying to post until it sticks! 💛
Excellent episode. Just to give a bit of background: When I want someones passwords, I install a keylogger on their system (trivial for most targets). Identifying passwords with that is relatively trivial. What I am after is the master password for their password manager of choice, be it the built-ins from Firefox, Chrome, various "Wallets" and so on. Some of those I can then just copy the encrypted database to my own VM and I have access to everything. Simplified explanation, but that's the basics.
Naomi gave the ONE way I can't (easily) do that: Use 2FA, on a SEPARATE device. Use an old iPhone or Android phone that's permanently in airplane mode to run the 2FA app. Write down the 2FA tokens or print out the QR code, store them somewhere safe. Preferably IN a decent safe or lockbox, depending on your budget and security needs.
Another thing you can do to be extra secure is not actually store your full passwords in your password manager, make it "double blind" (Example: Every password has an extra PIN or phrase at the end that isn't saved in the app) As long as you know that the passwords saved in the password manager aren't complete even if it gets hacked you're full passwords won't be revealed!
That's called a "password salt". Great technique!
A key problem I could see with this is that websites still represent a point of failure. More than likely your passwords will be discovered on a hacked database and not your password manager, and in the odds of a targeted attack, they could potentially see what you are salting with. The more websites that your passwords are leaked from, the more data that they have to determine any patterns.
@@XxDarkXxXSasuxX That's why I use salt AND pepper on my passwords... :D (j/k)
@@TheCocoaDaddy 😂
@@XxDarkXxXSasuxX
Not if you salt differently for every website
Not being a techy I decided a few years ago to pare down and go old school in things like banking and bill pay.
But now getting all this info makes me feel more confident that there could be a safe way to move more digitally.
Thanks bonza beaut mate .
Seeya
💛
It's "pare down" not pair down.
@@billfarley9015 thanks for correcting my spelling.
@@brucelovrin4786 I also assumed it was pair until I read this. Some idioms are so unexpected. ..
@@CommodoreGreg yeah I know English is a funny language that mixes alot of different root dialectics from surrounding countries, I guess that's why it's so hard to get it right every time.
Cheers.
I now understand that "pare " comes from French I think it being a term from culinary terms but I'm not 100% sure of that.
Been using one for years. Highly recommend
its easier than trying to remember your passwords
Absolutely
Thank you Ms. Naomi for this! People should consider using password managers nowadays.
Great video. Especially because I'm looking to start using a PW manager. I really wish you had done that "next video" comparing popular managers. Thanks for the info here, however. So helpful.
👍
I hope bitwarden keeps backup of vaults so we never lose access to our passwords
Most "good" managers allow for encrypted backups and should be done once a month to an offline device such as a USB drive, SD card, or a NAS storage device in case your phone or PC takes a dump!
I remain skeptical about password managers, I understand the security issues regarding passwords, I just have concerns over the way all technology is pushing us to depend on third party algorithms to do everything for us.
I saw a Snowden interview where he said we have to choose between security and privacy. There is a trend to avoid talking about this and pretend we can have both in full, then we fall into the convenience and simplicity trap where some complete stranger did all the work for us.
Reality is more nuanced and complicated then can be covered in a 15 minute (or 15 hour) video it's too easy to just buy something and assume it fixes everything
Two things that might turn up.
I used a password manager that could not log me into a certain website. The credentials entry screen could only be reached from the link in the home page. Worse, to be more secure (presumably from automated attacks), it would change the underlying field names so the password manager could not identify them. Only manual entry was possible.
Because of that I switched to using a usb stick. Every site I use has a different password generated by lastpass or other rng based system. They are generally painful to type, so copy from usb stick file, paste into password field, all good.
And then ..
I started encountering sites that have paste disabled.
I'm sure the developers of those sites meant well but they did it wrong.
One more.
My usb stick is always with me, so a good thing. But. There is no usb slot for a standard usb plug on my phone.
There is no ideal solution. Tradeoffs required, as always.
Awesome stuff! I would be interested in more password manager content for sure. My threat model isn't very high, so on Linux I still use an encrypted document and manually copy and paste, and I randomly generate long passwords with 'pwgen -s'. Then my clipboard is set to single-entry history and automatically flushes as soon as I close the password document. On Windows, I just use a browser file manager with primary password. I already consider everything on my Window's drive as being spied on, so I don't have much drive to do more to it. Password managers have always been something I've wanted to get into, but it was always hard to choose which one. So I am looking forward to your completing the password manager ark of this channel! Cheers Cx
Yay! Coming soon!
What password manager did you pick?
Thank you Naomi. ❤️ your vids. Very informative and useful.
My passwords tend to be based on words on whatever song or video I happen to be listening to when I need a password, or words (but NOT proper nouns) on random pages of a nearby book. I have to write them down immediately or I won't remember them. Makes it a bit harder to use social engineering because I definitely don't base them on stuff you could learn from social media or even an extensive chat with me. Even I don't remember most of them.
Great episode! Thanks, NB.
Nice artistry on the whiteboard 👏🏼
I am artiste 👩🎨
@@NaomiBrockwellTV May I ask why you remove my comment
@@NaomiBrockwellTV Oui, oui! 🖼
@@4biddenknowledge108 I didn't
Scroll all the way down at the bottom then you'll find digi id
Very useful video, thank you so much! 🙏
An early "Happy Birthday" for you from all your friends. May you have many more.
The service doesn't have to go out of business. How do you access the cloud when some drunk hits a pole and knocks out internet for a week? It's happened in my area. I dislike cloud services both because it means my data is in someone else's computer and because crappy internet means I often can't access it.
Absolutely positively necessary. I've been using 1Password for myself and my dad for the past year and it's blissful.
Me too
Great advice. Thank you.
Another video stuffed with good advice. Looking forward to the upcoming video reviewing a few popular password managers!
🙏
Keepass + Syncthing = 💥
If you can, use a different email address (or username) for each site. That greatly reduces your attack surface because the bad guys then can't easily link breached accounts together.
I decided to dump password managers and hide my passwords in plain site.
It's embedded in a common windows icon in the system directory amongst a 1000 other icons.
I highlight the necessary text inside the icon - covert it to base64 - then Ascii to hex...and that's it. No password needed. Also, Bot scanners would simply skip over the jumbled text, incase they were looking for keywords like 'account' , 'login' or 'passw'.
I made an png avatar for my profile on a forum website. I applied the same technique. It's been there for 7 months already without being discovered.
My passwords are literally in plain site on the internet, without encryption. I only have to remember the 4 sequential steps to uncover them.
Although I did have to search for a site that didn't remove exif data from png files on upload. So that worked for me.
Password managers (software-based ones) are vulnerable to exploits. It's a tricky one
I would agree, even the NSA got hacked!
i dont really see the point in a dedicated piece of software as a password manager tbh, dont see why an encrypted text file doesnt achieve the same thing. i just have a veracrypt container for mine but because i use triple cascaded encryption (i think mine is aes-twofish-blowfish but i havent really had a reason to check it since i set it up) i cant actually decrypt it from my phone unless i pay for the (closed source) full version of EDS, so i have a second text file that gets encrypted with some pgp app i forgot the name of, and just manually sync them when i get the chance, not rly the most techy solution but it works for me. also i dont have some of the more sensitive passwords on there in case my phone gets pwned
@@doooofus I've wondered that for a while, to the point that i question, is it possible an encrypted txt file could even be slightly MORE secure than say KeePassXC(which is great in its own right)?
@@Note10plusAura surely it would due to reduced attack surface
@@Note10plusAura @doofus When you have 100s of websites, an encrypted text file can be a bit of pain to search and copy paste (esp on mobile). Also if you want to keep that synced is more involved.
Good advice, as always. BTW, I've always liked the two retro-future items you have behind you, the rocket ship to the left (from my view) and the TV (?) Radio (?) to your right. They both look familiar but I can't place them. What can you tell me about them?
I use a password manager and diceware passphrases with one inserted random symbol or capital character. Make a two dice matrix, six columns horizontal and six rows vertical. Fill the matrix with special symbols and capital letters and roll two dice to select which symbol or capital character to use (first horizontal, then vertical). Then roll a dice again to select which word in order the extra symbol should be inserted in (1-2= first word, 3-4 second word, etc.). Then roll one dice once more to decide which place in the word to put the extra symbol (1-2=second place,3-4=thirdplace, etc.). You have now broken up one random word in the passphrase with a random symbol or capital letter. Your passphrase is now better protected from a dictionary attack because one word in your passphrase does not exist in any word list or dictionary so your passphrase must be brute-forced and that is hard to do when the character-set is above 16 characters (ideally 20+ characters). That is one way to do it, do your own variation of it. :)
ps. I have no idea how it affects the bit-strength, but I suspect it will make it some what higher.
That is one complex system! But glad you’re being safe! 💛
@@NaomiBrockwellTV It is fun and exiting rolling dice and write down unique diceware passphrases decided by the universe that only you know about. :)
I use them as master passwords and PC and mobile device logins. I use a password manager for everything else (web-accounts and other stuff). Passwords and passphrases are supposed to be hard, they are locks to your front door. A key hanging on a hook outside beside the lock is convenient when you come home, but convenient defeats the purpose of a lock. A lock is supposed to be hard, otherwise everybody can get passed it. That is my humble opinion anyway.
Thanks for all great content you provide! :)
what an awesome channel!
So many ways to be hacked, and so many different types of equipment. Which is more secure, computer or smartphone? Which operating system most secure, windows, Mac, Linux? What’s the most secure way of safeguarding your passwords which need to be changed on an irregular basis. This list is so huge that you need a memory manager to keep track of it all. Naomi, you need to create an ai of you, to guide and remind us dummies on equipment and staying secure on the internet. I no longer need a siri, I need a naomi for my online computing.
Haha AI Naomi coming soon ;)
@@NaomiBrockwellTV great! Make it one of those holographic AI’s like princess L in Star Wars.
right on right on Naomi! Tell em
Ohhh, gibberish answer to security questions... good tip.
How I handle passwords:
1. Create a Truecrypt container (use Truecrypt v7.1a)
2. Create a spreadsheet in the container.
3. Save links, login names, and passwords in the spreadsheet.
4. You can save other sensitive files in the container as desired.
When I want to log into my bank, I open the container which then becomes a new drive letter. I open the spreadsheet, copy the password, and then click on the link. It takes me to the login page where I then paste the password. Since I'm not trying to remember passwords I can use really cryptic ones. The only password I need to remember is the one to open the container.
The only real drawback is that it's just a little cumbersome. But it's super secure. No one will ever suspect that the file is really an encrypted container, it looks like a random file. And even if someone tried, they won't be able to hack into it. Whenever I backup my computer, the file is backed up too.
Lastly, I NEVER use my cell phone to log into sensitive websites. It's just not worth the security risk. I only do my banking from my home PC.
I don't trust the online password managers. I won't do that.
Good work Naomi.
KeepassXC is my password manager of choice. Mainly because its open source. Really cool that you got in touch with the devs.
I was really grateful they chatted to me!
Another great video! Any recommended password managers that don't break the bank?
good job on defcon karaoke last night!
😂😂😂😂😂 omg. Hi!
Thoughts on adding the same word or number to the end of every password without storing it in the online manager?
On the one hand, if your manager is ever compromised, they won't have the full password for any of your accounts and hopefully you can recover in time.
On the other, if any service is compromised, that "pepper" (as opposed to salt, I believe) phrase is now known and could make it easier to compromise other services' password hashes.
But it feels like they'd have to compromise 2+ accounts and care enough to make the connection. Unless you're being specifically targeted, it seems like this is a non-issue.
I think adding an extra work to a password and not storing the extra part on the password manager is helpful for security
I've been using KeePass (many variants available) for years now. Unfortunately, I have not succeeded in explaining it to others.
Keep trying!
Hi Nayomi
Thanks for this video. It is very helpful for us.
How about browser password managers? I'm sure there is a privacy problems on them but is it safe to use password manager of community based web browsers such as FIrefox?
Great video keep it up!
Thanks for watching! 🙏
Naomi is a very talented lady!
I am starting to wonder if there is anything she can't do!
Nice tips, but you forgot to talk about dangers of using your browser's built-in password manager
Will talk about browsers in a different video
to! Can’t wait to buy it, and getting startet!
Thank you. Great info.
Thanks Ron!
Thanks for the video babe
"in our next video we compare some of the most popular password managers" did you ever make this video Naomi?
in the works! :) We are a small team with very little funding, working as fast as we can with a long backlog 🙏 Will probably be out in December
I moved to bitwarden not long ago. best decision ever!
Naomi is greatness! Love love love your videos!
The worst problem in my opinion is even in incognito mode your user name is still auto filled. So a long random conglomeration stored in my brain is the most secure.
My password is: incorrect So if I forget my password, the computer tells me: your password is incorrect
@i-mm-o res email user: "either your password is incorrect or your username"
Doubt : on using keepassx or other offline.. one have to copy password and paste manually in the password textbox in a website..
but doesn't this make the password available on clipboard?
Use the browser extension, which doesn't rely on the clipboard. But in general, you shouldn't worry primarily about the fact that malicious applications on your system could read the clipboard contents. Instead, worry about not having such applications on your system in the first place.
Naomi: You NEED to use a Password Manager!
I do: Human Resources, oh she's good!
Thank you uwu
I used Proton Password. On my email account with Proton. It locked me out of all my emails in Proton. It says to unlock my emails use my last password. How can I when Proton Password Manager changed my password? What crap. I am afraid to use any password manager. Traumatized
More password content please! Particularly, 2FA and security questions. Some password managers now serve as 2FA apps, is this secure/unsecure? Also, 2FA apps now sync across devices. How secure/unsecure is this? Are there 2FA apps that require a master password? How to protect against SIM-spoofing and do I need to be worried? Are texted 2FAs or App-based better? ‘Cause I only use an app to keep the codes out of my Messages. Would it be better to use a Google Voice number for 2FA codes vs the number associated with your SIM-card?
If your passwords and 2fa are stored in the same system, it’s no longer 2fa, it’s a single point of failure. I would recommend not using the same tool for your 2fa as your passwords.
And why is it often a Google 2FA? 😣
Hi Naomi, great video. what's the brand of TV on the shelf, how bout that "rocket" that looks like a table lamp?
Thank you.
Ok mom. I'll get one now.
Good man.
URL autofill filtering isn’t helpful as many websites change the URL of the login page overtime, particularly if the page has been updated, keeping the old URL separate for easing downgrading if there is an issue. Or they have several different login URLs depending on which part of the service you’re using; for example Amazon, Prime Video, etc.
Since this autofill filtering is broken by authentic services - people become complacent in copy-pasting login credentials, or worse, altering the URL in the password manager to be a higher level, allowing for some phishing URLs to go undetected
What if you have a keylogger on your device that you don’t know about
Then you download a password manager
Then you set it up with a master password, and start generating passwords
Now the hacker has access to everything
Good, but all these are software based. What about using a hardware password manager? Could you discuss this?
may I ask... where IS the next video with most popular password managers reviewed? I really wanted to find that info :(
That’s our next release :)
@@NaomiBrockwellTV oh alright, thanks! I thought it was already released and I somehow missed it, I also know TH-cam sometimes blocks and hides some specific videos for me because they're unavailable in my country
0:40 Isn’t it not a big deal if what’s leaked is hashed? My impression was that it’s not like it can be reverse engineered, so someone knowing the hashed version of your password is basically useless. Am I wrong?
The attackers can use a password cracker, but if the website uses salted hashes, then the attackers can only crack one password at a time and that would take forever. So, I'd say you're not wrong.
A few things:
1) many passwords are not salted, which makes them easily crackable.
Many places even keep a list of common passwords in all kinds of hashed forms so they can recognize when the same version is used.
2) some passwords are weakly salted and also easy to crack.
If a password is secured correctly then this should help protect you. Unfortunately this isn’t always the case.
In addition to what hammer86 and Naomi said: If your password is too short, no hash will prevent it from being brute-forced. Some people even just rent cloud computing time to do this, which greatly accelerates the process. Or use a botnet, same principle.
Hello, help me understand; if I use a password manager (NordPass) on my PC, and I allow the use of the long, complex) on my PC.
Now I visit the site on my iPhone, will I need NordPass on my iPhone, and will they sync? Will it sync on my iPad?
Is that how Password Manager works?
I take the lazy route and use the build in password manager in iOS.
Munch Skull - well done ha ha
"There are no secrets to success. It is the result of preparation, hard work, and learning from failure."
-- Colin Powell....///
Best Practices: 11:19
Brave password manager is offline on your devices i think... it syncs via its own chain across your devicss no need to create a google account unlike google it saves and only accesible online
What do you think of Passkeys?
In The setup If the master channel is located in the top, next to the counter, then no - IT stays witNice tutorialn acceptable limits, when I play so of
I use only one random number password, about 9 digits I have used all my life and a 4 digit pin i have never changed. Never have I been hacked.
It took about two weeks to memorize my password, and you can't ever hack a random number password. If you already have a good password, you need no other.
Never use a password that is worded.
When banks ask for security question, answer it correctly so you dont forget, just spell it different. Mine I use to like, to question the name of my first pet is "Kats"
I just write all of my passwords on a piece of paper. I also have it on a jump drive that I keep in a secure place. If you use a pw manager, and it gets hacked, you are screwed.
Ily ❤️
very good free or paid password manager which to choose
I recommend paid service, or self managed open source option like keepassxc
You can also use different usernames, also somewhat random. It's just one more obstacle for a bad actor to overcome.
Is Nexus free for soft soft
Genuinely Curious..
"6 random words - 77bits protects against every ExcepT the NSA"?
Then why do all the entropy spreadsheets say for example: the 6 word passphrase would take around 96 years to crack and thats with the power of
1 Hundred Trillion brute force guesses
Per Second?
Because that’s the power of the nsa
@@NaomiBrockwellTV So what Exactly is the power of the NSA?
Even if they have 9,999,999,999,999 hashes per second, it would still take 10 years?
An old work colleague did the sticky notes on his monitor thing at home. He got broken into and things did not go well for him after that.
😰
Everybody knows you are supposed to put the sticky notes on the bottom of your keyboard.
Nobody would ever think to look there.
That's all fine and well. Unless, you are a senior citizen! Seniors dred even getting near a computer, and everything needs a user name, password and secondary verification to boot.
✅
🙏
'Most people default to really bad password habits'
Because we're being forced to due to really bad password policies, forcing users to use upper and lower case, numbers, special characers, sacrifice a virgin and use an extra key forced by elves in the moonlight, while at the same time capping the max length for some weird reason.
I could use a sentence of hundreds of characters(say, from a book I love) as a password and it'll still be safer & harder to crack than an unmemorizable password of 18-24 characters.
Adding those elements make the password harder to brute force. How are you going to remember 100s of different unique sentences for each of your different accounts?
@@NaomiBrockwellTV He's not completely wrong. Humans CAN remember words far better than random junk.
The math is roughly like this - depending on keyboard you can type just under 100 different characters "easily". Most native speakers know about 40k words but can and will remember unfamiliar words as long as they're not too oddly spelled. Using combination probability n!/(r!*(n-r)!) gives us:
~1.3e18 for 16 random characters out of 100 characters.
~8.5e20 for 5 words. (presuming all same case)
~1.0e15 for 4 words. (presuming all same case)
Considering that the average length of a word in English is 6 characters, you end up with a password length of 30 for a 5-word password. Add capitalization and you basically are more secure than random characters, while at the same time being able to remember passwords pretty easily - unless you have memorization issues, which is a valid concern.
This only applies for using RANDOM words from your native language, not words from a book.
Spaceballs.
🥰
Been using KeePass, but no idea what this 'XC' variant is.
Some companies on the internet are a pain, in that they outsource advertising/promoting etc., which quite often results in you getting communications from that company with odd addresses, making verifying them a pain in the .....
xc is the QT fork of keepass
@@glowingone1774 I don't think it's really a fork, more of a port afaik. KeePassXC is written in C++ compared to Keepass' C# and is therefore more cross platform compatible.
@@ReubenYap nope its a fork of KeepassX
Which itself was a fork
so indeed it is a fork
@@glowingone1774 keepassx is a port not a fork
What doesn’t work- telling people “don’t reuse your passwords”
What DOES work? Saying, “Passwords + Toilet paper NEVER reuse!
Haha I like it
If someone has there banking password in a password manager they may want to look into whether their bank will cover them against fraud if it gets used illegally. I suspect not.
IS this a rerun episode? :)
nope!
She never made a vid about which password managers are best😢
We have a backlog for the next 6 months, but it is in our pipeline :) we are a very small team with very little funding 💛
THIS.
Y is my name in the thumbnail...,.n that's the 2nd time someone has put 35 in relation with my name y.? I'm not 35
hot chick giving IT advices... nice! like that content.
Simple stay off line unless you buy groceries or do banking don't install twitter Facebook or other social media on your mobile device I use a 32 character password and I copy paste it from an encrypted file
Password managers are great for preventing you from being tricked by a fake copy of web site , the URL won't match no matter what tricks they do
90%+ of people should just use an online PW manager service. You want something that frees up your time and attention, not something that's an added burden to deal with.
I don't feel 100% safe after all, knowing that all my passwords are in 1 (currently) smart tool.
I'd have to do some research every week to see if it's still safe.
What are you with such a YUBI key? as USB changed every 3 years. or even disappeared on laptops?
I'm not good with computers. My cat studies IT. She does all that stuff in my house
Encrypt your post-it and its safe ;)
lol
fyi lastpass had vulnerability recently lol