Even password managers can be hard. They are wonderful when they function as expected. When they do not it causes major problems until you can figure it out. I use a password manager for all non-money related sites. For money sites I keep a written record securely locked which simply reminds me of password structure. Any third party finding it could still not figure it out.
Password. managers need to rely on analysing a web page in a browser for user and password entry fields. They may fail in doing so, as there is no standard web sites can adhere to and password managers can rely upon when doing their work. All password managers have is intruding into web browsers, look at the pages you are loading, find the username/password fields based on heuristic rules and fill them. This has been a technology applied for a decade now, and it did not got any better. And it is so much bailable by any means. Thw upcoming alternative to resolve that issue (among others) are passkeys. They can rely on a standard to work - either a browser supports that standard or it doesn''t (all major browsers but Firefox (which I find very disappointing) do today). And third party password managers start do it as well, and it does not require all of them to figure out what is going on und supposed to happen by analysing web pages - passkeys are a well-defined standard including web-sites accessing them for login: they simply place a well-defined javascript-statement on their page.
What exactly do you find hard about password managers, if I may ask? I use KeePassXC which is one of the most trusted password managers and it's pretty easy to use.
@@almuric1baggins337 Too much work. I have around 400 hundred accounts. I also as a person in IT use 20+ devices on a given day which can limit the options.
I’ve used a password vault for many years. And then it was breached. My husband thought I should change services. I felt that at least we know this one is now beefing up, where the rest are still unknowns as fas as security.
I've never understand the issue with passwords. There is no need to think up and remember a password. The simple solution is to use a password manager. Within that manager, I have it generate a complex password typically up to 20 characters. It will have numbers, special characters, upper and lower case text, etc. When asked for the password, I simply copy and paste. Done.
With your great presentations perhaps more will move to one. You might consider a presentation to demonstrate the generation of passwords and the copy and paste method. Also, aren't there some password managers that automatically connect and enter the password? One of the comments below states they don't always link and enter the PW.
Or for computer sites - Memorize a list of 52 characters. Make it words and numbers. Example: 1Jerky2Party3Green4Horse5Sugar6 Banana ... It doesn't take long to memorize and you can use it forever. Completely uncrackable by any advanced method.
Really bad idea store it in the cloud. Store it locally in an external disk mirrored in a file encrypted with AES. Just in case, print it and save at home in a secure and hidden place
Here's why I do not trust "use just one password" for a password vault: The password manager fails too often to properly fill-in the correct password for person's username so the person still must either do some extra clicking OR enter the needed password using the keyboard. Even so, I myself do use a password manager with a "vault"; this vault having its one chosen password.
When i was a newby medical student 5decades ago...to remember complex anatomical structures we used mnemonics as an aide de memoire....now i remember esp the 'bawdy ' ones!....so even algorithms may be forgotten....
in an "ideal world" you would not use a password at all, but authenticate yourself with a key. yet its 40 years down the internet road and microsaft still doesn;t know how keys work. the "problem" with password managers is, that you put all your data at a single point of attack.
With Apple tv's no more typing in passwords on the screen setup iCloud keychain then calling up the built-in remote app on the iPhone select that apple tv then it will ask or a password on the iPhone select your account password from the autofill it will fill in the password this gets around hand typing period
You need to get slightly more sophisticated, so will need at least four. One for your computer, one for your phone, one for your password manager, and one each where compromise might cost you huge financial losses, such as your bank account.
Yeah, but if someone somehow discovers your passkey password, aren't you then effectively as vulnerable as someone who used the same password for everything?
Problem I have found with some password. Managers is the ability to save the complicated Auto Jen password. Sometimes there is an automatic prompt and other times. There is nothing.
Hi Leo, really enjoy your videos. I'm wondering what is your take on auto generated passwords such as the ones Firefox offers with auto log into each account that it creates a password for.
As long as you can configure the password to be sufficiently complex, they're great. I use 1Password's generator. Here's an example: o2EYjUJHryXFCgxvZ8UT
The best approach for password managers is to add the samd few secret characters to the beginning or end of every auto-generated password. Then if the vault is hacked it does not list your full password.
i suggest eliminating passwords- i can never remember them! and go to a short series of personal questions you can answer. also i have no idea what you mean by "vault" !
Password 'managers' or 'vaults' do not work- you are often required to enter particular characters from your password. They cannot do this. My bank wants both this and specified numbers from my numeric code. Another fail. They can also cost money- which a password protected Excel file does not. And that, if all it gives is personal hints, is more secure than a password manager- they have been hacked before...
How safe is a password vault./ manager...if that is hacked or down a user will be stuck....best is to keep a written list of the passwords in a physical 'vault'
Do password vaults work in an Enterprise (Microsoft /Windows) setting when logging into on-premise, business software each with different usernames and passwords while adhering to company policies such as password length, password expiry? Examples of such software include Accounting, HR, Payroll, etc that staff have to routinely use.
So in other words, they only need to know the password of your vault. Meh, bad way of doing things, especially our passwords for bank, paypal and the likes, should be passwords that need to be memorized.
Oh I left out part of something I meant by insurance use the same password on everything if one site gets compromised change password immediately insurance will cover anything else
Yes, but it needs to be 32+ random characters. Most hackers put a time limit on how long they spend to hack your password. Then they move on to the next one.
I normally do 24 characters. 32+ sounds a bit excessive, no? Is a 24 character purely random password (including special characters) easy to hack nowadays?
@@bgtubber It just takes to much time. They can get into 5 or 6 for the time it take to break into one 32+. 16 is the norm now. Just put 2 or 3 random letter in it and that will stop 99.99% of the algorithm hacks.
We all know that passwords are static therefore they can be stolen - e.g. via a keylogger. The best solution would be if sites displayed a fresh code every time you want to log in and your personal, PIN-protected HW key would display the one-time password for you to type in manually. Simple, secure.
Several password vaults have been hacked in recent years they are no longer the safe and best bet. The algorithm is a good idea but over time your passwords will show a pattern that is not difficult to crack. The best way to deal with password authentication is to use a long phrase that is easy to remember but is nonsense. Couple that with MFA/TFA using your mobile to receive the chalange code. Until the industry implement passphrase technology. And by the way, use a Linux PC for your personal and sensative data. I run Windows for various none sensertive work. And a Linux box to access personal data sites.
"Several password vaults have been hacked" - please provide your sources. I don't believe "several". In fact, I know of only one compromise, LastPass, and so far NO actual password data has been confirmed stolen that I'm aware of. Password Vaults remain more secure than any of the alternatives.
Use Just A Single Password For Everything...sure...losing or some one PERMANENTLY BORROW that password...you will also LOOSE EVERYTHING..yes this "intelligence"
And of course, never write down your vault/master password in a text file or on a piece of paper! That's like locking your house and putting the keys under the doormat. 😄 Even if nobody finds it, you could lose it. Just memorize it and make sure it's long and not simple to guess. Add symbols and numbers too.
Dislike. You CANNOT use only one password everywhere! Done on purpose, of course, but the proper description is “use only one password to open the rest of your passwords!”. Clickbait is needed for some “creators”, but what kind of idiot crowd can this bring?
It’s possible; just not the way you think.
Even password managers can be hard. They are wonderful when they function as expected. When they do not it causes major problems until you can figure it out. I use a password manager for all non-money related sites. For money sites I keep a written record securely locked which simply reminds me of password structure. Any third party finding it could still not figure it out.
Password. managers need to rely on analysing a web page in a browser for user and password entry fields. They may fail in doing so, as there is no standard web sites can adhere to and password managers can rely upon when doing their work. All password managers have is intruding into web browsers, look at the pages you are loading, find the username/password fields based on heuristic rules and fill them. This has been a technology applied for a decade now, and it did not got any better. And it is so much bailable by any means.
Thw upcoming alternative to resolve that issue (among others) are passkeys. They can rely on a standard to work - either a browser supports that standard or it doesn''t (all major browsers but Firefox (which I find very disappointing) do today). And third party password managers start do it as well, and it does not require all of them to figure out what is going on und supposed to happen by analysing web pages - passkeys are a well-defined standard including web-sites accessing them for login: they simply place a well-defined javascript-statement on their page.
What exactly do you find hard about password managers, if I may ask? I use KeePassXC which is one of the most trusted password managers and it's pretty easy to use.
I do the same. I don't trust my cloud based password manager to protect my financial sites because they have been hacked multiple times.
@@drescherjmDid you ever think of changing your password manager! Doh!
@@almuric1baggins337 Too much work. I have around 400 hundred accounts. I also as a person in IT use 20+ devices on a given day which can limit the options.
I’ve used an algorithm for 20 years and never had a problem.
Thanks, Leo! (I’m really liking your videos.)
In an ideal world, there are no hackers and identity thefts.
In an ideal password we wouldn't need passwords!
I’ve used a password vault for many years. And then it was breached. My husband thought I should change services. I felt that at least we know this one is now beefing up, where the rest are still unknowns as fas as security.
I've never understand the issue with passwords. There is no need to think up and remember a password. The simple solution is to use a password manager. Within that manager, I have it generate a complex password typically up to 20 characters. It will have numbers, special characters, upper and lower case text, etc. When asked for the password, I simply copy and paste. Done.
You'd be surprised how many people don't use a password manager. A good chunk of them reuse a single simple password across all sites. Yikes!
With your great presentations perhaps more will move to one. You might consider a presentation to demonstrate the generation of passwords and the copy and paste method. Also, aren't there some password managers that automatically connect and enter the password? One of the comments below states they don't always link and enter the PW.
Keepass - very happy with that one.
In an ideal world we would not need passwords
Or for computer sites - Memorize a list of 52 characters. Make it words and numbers. Example: 1Jerky2Party3Green4Horse5Sugar6 Banana ... It doesn't take long to memorize and you can use it forever. Completely uncrackable by any advanced method.
Your advice or idea of an algorithm for choosing a password is excellent. I also have my own decided algorithm; but I am not telling what it is.
why not 😀??
still my secret! @@Beavis-et8ox, but you can think of your own method.
What happens if a hacker gets in to your pass word manager? Can they now get into every sight that is stored there?
Really bad idea store it in the cloud. Store it locally in an external disk mirrored in a file encrypted with AES. Just in case, print it and save at home in a secure and hidden place
Here's why I do not trust "use just one password" for a password vault: The password manager fails too often to properly fill-in the correct password for person's username so the person still must either do some extra clicking OR enter the needed password using the keyboard. Even so, I myself do use a password manager with a "vault"; this vault having its one chosen password.
When i was a newby medical student 5decades ago...to remember complex anatomical structures we used mnemonics as an aide de memoire....now i remember esp the 'bawdy ' ones!....so even algorithms may be forgotten....
Great, helpful video, Leo, thanks for all your great help and information over the past year. I wish you well for 2024.
in an "ideal world" you would not use a password at all, but authenticate yourself with a key. yet its 40 years down the internet road and microsaft still doesn;t know how keys work.
the "problem" with password managers is, that you put all your data at a single point of attack.
With Apple tv's no more typing in passwords on the screen setup iCloud keychain then calling up the built-in remote app on the iPhone select that apple tv then it will ask or a password on the iPhone select your account password from the autofill it will fill in the password this gets around hand typing period
I always choose the really really bad approach in all of my endeavors.
Good tips & try to keep it simple for yourself too! 😊
You need to get slightly more sophisticated, so will need at least four. One for your computer, one for your phone, one for your password manager, and one each where compromise might cost you huge financial losses, such as your bank account.
Yeah, but if someone somehow discovers your passkey password, aren't you then effectively as vulnerable as someone who used the same password for everything?
Problem I have found with some password. Managers is the ability to save the complicated Auto Jen password.
Sometimes there is an automatic prompt and other times. There is nothing.
Seems like a violation of the rule -- don't put all your eggs in one basket -- and dangerous.
Hi Leo, really enjoy your videos. I'm wondering what is your take on auto generated passwords such as the ones Firefox offers with auto log into each account that it creates a password for.
As long as you can configure the password to be sufficiently complex, they're great. I use 1Password's generator. Here's an example: o2EYjUJHryXFCgxvZ8UT
The best approach for password managers is to add the samd few secret characters to the beginning or end of every auto-generated password. Then if the vault is hacked it does not list your full password.
i suggest eliminating passwords- i can never remember them! and go to a short series of personal questions you can answer. also i have no idea what you mean by "vault" !
Vault is a password manager program that remembers passwords for you, like 1Password, Bitwarden and others.
Password 'managers' or 'vaults' do not work- you are often required to enter particular characters from your password. They cannot do this. My bank wants both this and specified numbers from my numeric code. Another fail.
They can also cost money- which a password protected Excel file does not. And that, if all it gives is personal hints, is more secure than a password manager- they have been hacked before...
How safe is a password vault./ manager...if that is hacked or down a user will be stuck....best is to keep a written list of the passwords in a physical 'vault'
Disagree. Even if the provider is hacked your passwords remain securely encrypted and useless to the attacker.
Do password vaults work in an Enterprise (Microsoft /Windows) setting when logging into on-premise, business software each with different usernames and passwords while adhering to company policies such as password length, password expiry? Examples of such software include Accounting, HR, Payroll, etc that staff have to routinely use.
IT support for the organisation I worked for wouldn't install anything like that, but 1Password has a web interface so I could copy and paste.
So in other words, they only need to know the password of your vault. Meh, bad way of doing things, especially our passwords for bank, paypal and the likes, should be passwords that need to be memorized.
what about the windows 11 or iOS native tool?
I would like to see the evidence that hackers crack passwords by testing character strings.
@askleonotenboom What’s your opinion of using Apple Keychain as a password vault?
It's fine, as long as you don't need the info on a non-Apple device.
Oh I left out part of something I meant by insurance use the same password on everything if one site gets compromised change password immediately insurance will cover anything else
Yes, but it needs to be 32+ random characters. Most hackers put a time limit on how long they spend to hack your password. Then they move on to the next one.
I normally do 24 characters. 32+ sounds a bit excessive, no? Is a 24 character purely random password (including special characters) easy to hack nowadays?
@@bgtubber It just takes to much time. They can get into 5 or 6 for the time it take to break into one 32+. 16 is the norm now. Just put 2 or 3 random letter in it and that will stop 99.99% of the algorithm hacks.
use a pattern of keystrokes tthat mean nothing
We all know that passwords are static therefore they can be stolen - e.g. via a keylogger. The best solution would be if sites displayed a fresh code every time you want to log in and your personal, PIN-protected HW key would display the one-time password for you to type in manually. Simple, secure.
Does not explain what a password vault is.
YubiKey anyone?
I have that but its not supported everywhere.
YubiKey is excellent as the *2nd* authenticator you use in addition to your password.
Dont all important services have 2FA anyways? Even if someone has my password, why would it matter? They can't login without 2FA.
No. Not all do. And not all people use it when they do.
A lot of places have 2FA for logging in, and 1FA for changing your password. You can also get tricked into revealing your code to them.
Are you sure you are not working for some spy agency, because what is in the ether everything can be hacked, just saying
Can u give me 1 example of password
78V6hLEZvHjRBjLuXeZb
What if the vault fails? Like any other soft.
This is why you should be backing it up regularly. (And even if not you haven't lost access to anything.)
@@askleonotenboom , so, that means I need another password? For the back-up.
@@TroyQwert That depends entirely on how you choose to securely store that backup.
@@askleonotenboom , I hear you. What the back-up fails simultaneously with the "A-roll"?
@@TroyQwert Hopefully that never happens, but most recommend two backups: one local, and one off-site. So that's an extra level of protection.
Didn't realize the first half of this video was a lecture
Welcome to my TED talk.
instead of trah talking and talking give an example
Several password vaults have been hacked in recent years they are no longer the safe and best bet. The algorithm is a good idea but over time your passwords will show a pattern that is not difficult to crack. The best way to deal with password authentication is to use a long phrase that is easy to remember but is nonsense. Couple that with MFA/TFA using your mobile to receive the chalange code. Until the industry implement passphrase technology. And by the way, use a Linux PC for your personal and sensative data. I run Windows for various none sensertive work. And a Linux box to access personal data sites.
"Several password vaults have been hacked" - please provide your sources. I don't believe "several". In fact, I know of only one compromise, LastPass, and so far NO actual password data has been confirmed stolen that I'm aware of. Password Vaults remain more secure than any of the alternatives.
@@askleonotenboom keep believing in fairies.
@@waynea4651 Yep I sure do.
Oh, please just use one password. The hackers will love you for it!
Use Just A Single Password For Everything...sure...losing or some one PERMANENTLY BORROW
that password...you will also LOOSE EVERYTHING..yes this "intelligence"
I'm assuming you didn't actually watch the video.
Lose.
And of course, never write down your vault/master password in a text file or on a piece of paper! That's like locking your house and putting the keys under the doormat. 😄 Even if nobody finds it, you could lose it. Just memorize it and make sure it's long and not simple to guess. Add symbols and numbers too.
Waste a LOT OF TIME saying nothing!
Just use a simple password like 12345 so you can remeber it easily.
And get all your stuff hacked. 😂😂
Hey! That's the same password I use on my luggage.
Dislike. You CANNOT use only one password everywhere!
Done on purpose, of course, but the proper description is “use only one password to open the rest of your passwords!”.
Clickbait is needed for some “creators”, but what kind of idiot crowd can this bring?