think of your favorite animal, lookup its scientific name and use that as your password. Now, any time you forget your password you just have to search up your favorite animal.
@@phillipanselmo8540maybe your mpw should be a bit stronger than something that falls to a dictionary attack. Better add 123 to the end just to be safe.
But if you don't that means a parallel universe you do.... what if he's working with the pigs snitching on YOU, or what if he was the hacker all along? can't hack me if there's nothing to hack, can't break an enter if there's nothing to break, can't steal if there's nothing to steal. I'm poor, pretty sure they would offer to pay me for a new identity.
oh nice me too! i just updated to v.20.1 do u also have that weird bug where sometimes another evil version of you comes from a parallel universe to attack your family? i thought the devs patched it...shame
I loved it in Battlestar Galactica when they would make such a big deal about the fact that none of their systems were networked to each other - and the one time they did need to run a network, they treated it like the most batshit insane idea anyone could possibly have and as the most dire situation they could possibly be in. If there’s one benefit to nearly being genocided by A.I., it’s that you sure do learn to respect OpSec right quick.
Keyloggers are practically the only cyber threat you have to look out for with handwritten passwords. Make sure to have up to date AV or keep root access pw protected if you're on Linux, and look out for any physical ones by inspecting where your keyboard plugs in occasionally and every time you use a public/lab computer.
In my opinion, it's best to educate on "good enough" or "reasonable " security. The best in class security which works well for high value targets is not necessarily the most appropriate for the average citizen. Additionally, no matter how good your password practices are, you are still vulnerable to attacks on the services you use, like a credit rating agency, online tax submission, insurance services, any business or utility that stores your credit card or has direct debit capabilities. Many of these services are difficult to avoid using too. Perhaps we can teach people more about context however. Like don't keep your passwords for work in the same password manager as the one you use privately. There is also the balance between security and convenience. Being logged out automatically from your bank after 5 minutes of inactivity is good, but perhaps you would be annoyed if your social media accounts did the same. The same perhaps also with multifactor authentication. All that being said, this video does have very good points :)
@@omicronx94adding to this, ensuring it is not publicly wireless. turning off its wi-fi direct or embedded networks and preferably linking it over ethernet to your network rather than wifi is more secure. also, some printers have this “email to printer” function but obviously that goes through the internet. best bet for paranoid people is to have a vlan between the printer and the device where they can communicate but cannot access the internet. then after this step you burn your printer and send it into space aimed at the sun
Also worth adding the Ukrainian and Taiwan flag emoji to your passwords. This keeps you safe from the Russian and Chinese hackers who won't have them out of principle.
@ Honestly never heard about that, I just use a private key.
11 หลายเดือนก่อน
It's a private key on separate card like a simcard but bigger. You can also use something like a yubikey that contains also a openpgp card. @@quidquopro1185
My favorite password manager is the combo-locked journal that never leaves my backpack, with cryptic riddles and secrets that need to be used for translating the passwords
A) It depends on your situation a bit. Do you carry it on you? Then it could easily get stolen. Do you keep it in your house? Could still get stolen in a robbery, or abused by a family member or whoever else you live with. Most people can trust their family members, but not all. A fire-proof safe is a good idea, that will certainly be enough for 99% of people. If it is a good safe and not cheap junk. B) Writing passwords down encourages the use of shorter, easier to type passwords than a solution involving copy and paste. But depending on your personal threat model, a paper list could be a viable option.
Good points! I will say that the robbery thing is less of a threat than many think. If your little password book is non-obvious it's not going to be stolen. And in an in person robbery they'll generally be after immediate items that can be sold or used quickly.
Another thing to take in consideration is malicious browser extensions, both ones that present themselves as a password manager or connect to your password manager
I like the convenience of cloud-based solutions. Tbh i dont have a problem with them if the client is open-source and I can verify that it sends and retrieves nothing that isnt encrypted locally.
thats why i use bitwarden. the client(s) and the server are open source, but they host their own publicly available instance. all my passwords are randomly generated so even bitwarden they get breached, im pretty confident the attackers won't reverse the hash
Doors can be unlocked without a the key. A dog can be killed or bribed with food. You aren't always going to have your gun on hand. what if u leave ur notebook at home when ure not there?
For me the way to remember my password is to follow a format. Yeah if one gets compromised the same format can be used to access my other accounts but I use different nicks I my password for it.
buy a phone that supports any other version of Android, install the OS, use it. That's quite simple. Oh, and remember that Android (as much as iOS) is not secure by design. There might be some software that tries to encrypt some data, but it's hardly possible to have more privileges than the OS itself.
@@pyqio so, Android is one (if not THE most) of the most secure OSes according to some dude that works on either tails, qubes or whonix, he's done some deep dives on this on dread (could be a glownie tho). Apparently since the beginning of Android every app has been compartmentalized into an isolated VM (makes sense, I remember the whole dalvik VM fiasco) and nowadays all phones starting from Android 8 have full disk encryption Wether your manufacturer pozzed the ROM/encryption or not that's a whole different thing, but if you run AOSP there is nothing pozzed there. Also sorry for the vagueness it's been around half a year or so since I read the info, it's not fresh in my mind
Not watching but the trick is to have a password you use for everything. You’ll use that as your second half. The first half can be stored in a password keeper. This way when you autocomplete your password there’s still a bit of manual work to do to get logged in.
@@W4nn3furthermore if your nas supports SED, use that. makes your drives encrypted on the fly so even if the nas is physically stolen, nobody can even see what files are on it to begin with so they won’t know you’ve got a keepass database
you dawg I heard you like encryption so I put an encrypted vault in an encrypted vault so you can decrypt while you decrypt. Eh, idk. This meme has better uses.
You say not using a password manager borders on insanity... but 90% of websites you need to log into are junk sites that I dont care if the "password" I use gets leaked and they get access to all the other junk sites. For the accounts that matter, I've got separate passwords for, and there really isnt that many, I could count them on my fingers.
yeah, these junk sites together can build your entire identity and give a lot of information to the hacker, so it would be easier for him to get a password for "main" accounts. @mantyy
This video doesn't really talk about the other side: end user compatibility. A regular user does not know how IT Security works nor should they need to know. If we want those people to use password managers they need to be easy to use. This includes being able to securely sync them between devices without having to configure anything and without having to set up own server infrastructure. A keepass file on a Dropbox share is reasonably good. But it also needs to integrate with your browser (unsure if keepass supports this). And honestly, even a proprietary password manager is better than reusing the same password for every website, which a lot of people actually do.
I personally like Bitwarden because I feel its the best of both worlds. Its code is available and auditable by anyone who wishes to look at it. In that way their zero-knowledge approach can be verified. As we're learning each and every month it seems that with LastPass, sometimes zero-knowledge doesn't mean the same thing to proprietary platforms. As I obfuscate my usernames for some things too, it was very alarming to me to learn that attackers had access to all of them and explained why my bank account kept getting locked out due to password guesses despite my username being a combo of my initials and a string of random numbers.
Browser integration is not really needed for keepass if you set up autotype correctly. The approach of keepass and remote storage is amazing as a tradeoff between usability and security. I do that as well but instead of cloud storage i have it on a host on my local network accessible with a vpn.
@@banaantje0456 that works well for someone like you or me. It doesn't work well at all for someone like my mother who doesn't even have a clue what autotype is, let alone how to set it up. Also proper browser integration is great protection against phishing, because it won't let you use the password on the wrong website.
I'm sure others use the same technique, but I've learned to type in a certain way so that I could just remember a phrase as my password for any given login and then type it quickly while the end result looks nothing like the phrase I memorize.
First time I actually see in one of your videos a vuln that I have used to complete a HTB machine, specifically one called Keeper. It was so satisfying to see that and be like "oh, oh I know that one, I've already used it to hack stuff".
I just wrote my own password manager, it is really quite simple to do if you understand using simple encryption libraries (just wait until those become vulnerabilities ). It stores all passwords in an encrypted file, which you unlock with a master password, and can also encrypt each entry a second time with a different password. You can also store other files, and just plain text in this encrypted database, and you can generate new totally random new passwords when you need to change (as you should regularly do). Really is quite useful.
Keepass has most of the same features, so I say you did a good job, bravo on the storing other files part. I don't think you can do that in KeePass actually.
@@Jordan-hz1wr while that's true, I maintain a password manager for like 15 people, and have a local dns, local mail server and everything. vaultwarden makes selfhosting super simple (literally a docker container)
I haven't read the CVE thing, so I might be talking about a different thing. I think there's a scenario that it might be worse than just corrupting the DB: the attacker can change the master password and then copy the database file. This way, they can unlock the DB file later and gain access to your passwords. If they create a backup copy of the file beforehand and then restore it, one might not even be aware of this happening. A way to mitigate this would be to require the current master password when there's a request to change it, even if the DB is unlocked at that time.
A simple user defined timeout feature could mitigate the database being left open for a length of time. They can corrupt it all they want, as long as you have a couple of backups in different places.
@@capitolia The only passwords saved on my phone are for Discord, Brilliant and Disney+. Yes, a long time ago I had to type them in manually. My approach is to keep important things as far away from my phone as possible.
In my family everyone has an unhackable password manager it's called a notebook, but then it's useless without the second part that I keep encrypted on my pc in a simple cmd program I made using off the shelf crypt programs, You put in a master password, then the notebook password and you get the second part of the password
Very informative, thank you. I don't know why I never considered that there could potentially be a program that reads keyboard inputs. Having something like that sending info back is wild.
My password manager is a book. It's much harder to gain my passwords if you can't gain them by hacking into a password manager and can only get them by physically committing theft.
I dont understand people using password manager. So to make it harder to get your passwords, you put them in an online source, and you bundle all your passwords into one single password. Makes sense?
Or, hear me out, you could just not use a secondary program to store your passwords and just write them down somewhere physically? People can’t hack paper.
Depends on your threat model. If you live in a country where the security services will happily break into your home and go through your things, you're gonna want another solution. But if your home is secure and you're mainly worried about online attacks, then paper is alright. Just make sure you have an offsite backup in case of fire - might be a pain keeping that in sync. And password managers have other useful features like auto type - that allows you to enter your password in a public place without worrying about people shoulder surfing, not so easy with paper
If you're going to use a Password Manager, it's best practice to modify the saved password by adding or removing some characters. When you need to use a password, adjust the characters as needed. This way, even if it gets leaked, the password won't work for anyone else.
dont agree at all. its way better to use your password manager's password generator. When making password i usually set the max character limit that the site allows. sadly some actually cap you at 15 char passwords.. in 2023. some sites tho i have a 99char passwords for bc why not. if site gets breached. just change the password. rinse and repeat.
@@mtk3668 Yeah but I think the OP is still saying to use that, then change some characters by a method you'll remember so that even if the password manager gets hacked then you still have another subtle layer to the real passwords in use
imagine not having the option to save a keepass backup everytime you save enabled. an attacker wouldnt be open to lock you out of that one. but then again, if the dude is already on your pc he could do about anything else
Mental outlaw. I know you talked about other companies that seem to do a very good job protecting passwords that you have used. I just have a question about Kaspersky password protection? Has there been any leakages you know about or data sharing? Ik its a russian company but online I can't seem to find a genuine article talking about data breaches other that redditors going dumb and scaring others using "I have heard statements than facts" in password manager. Would love an insight or video on this topic, please 🙏
I started using buttercup after seeing an article about a new open source password manager. If it weren't for that article, I might have stuck with a plain-text file.
I'm a web dev and my next project is a open source, web based password manager. It's probably not going to be amazing but It my data on my software on my hardware on my network.
Password and salt are on notepad, just a bunch of word and number, I encrypt it in my head using my own variation of ROT 13, and use the result as my password, nobody expect people to just calculate everything everytime they want to enter a password.
My brain is like an enigma, good luck looking find my passwords Cant read the storage medium and doesn't need internet or a computer to hold the information
I remember having a discussion with the previous system admin to my current job about password managers. He was telling me how awesome this one manager was and of course it was all in the cloud. I looked at him and said someone else knows your passwords.. He laughed and said no they don't because they keep it encrypted and it uses ssl. Even tech people can convince themselves of false security when they should know better, this is why I try and self host everything. The cloud is not secure and the whole idea of keeping passwords there really boggles my mind why anyone would think that is secure...
Heres how you can be really jacked and remeber all your passwords everytime you forget a password the one push up this will make you stronger then the rock and give insane memory power makes you stronger and smarter LMAO
I have a manual / offline password management that uses an algorithm thats easy to remember on top of that combined and is kept in my wallet (and other locations, in a 3/2/1 backup style) and even if people get hold of the 'card' they cant decrypt because they dont have the memorised algorithm ... if *any* part of the system is compromised (any 1 of the 3 parts) it takes literally *minutes* to re-create a new 'system' and change all passwords and the old 'parts' are made useless.
![[UNCUT]"ตุลามรณะ"ย้อนฟังคำทำนาย หมอดูทุกสาย ดวงเมืองร้อน (หมอปลาย ฟองสนาน อ.โอเล่)I คนดังนั่งเคลียร์](http://i.ytimg.com/vi/lE5az5VvT9M/mqdefault.jpg)
![[LIVE] : ONE ลุมพินี 82 วันนี้!! คู่เอก | ยอดไอคิว vs อับดัลลาห์](http://i.ytimg.com/vi/hSsyTl_9bqs/mqdefault.jpg)
My threat model is mostly me forgetting my own master password to the password manager. Everything else is a lesser threat.
think of your favorite animal, lookup its scientific name and use that as your password. Now, any time you forget your password you just have to search up your favorite animal.
@@phillipanselmo8540maybe your mpw should be a bit stronger than something that falls to a dictionary attack. Better add 123 to the end just to be safe.
Sentences work best as passwords. Easier recall, less likely on a master list, harder to brute force.
correct horse battery staple
@@eitantal726 nooooo!! Dr Mike Pound said NOT to use that one.
I reckon my notepad document can do the job
Frfr
best comment lol
@KGBMajorValeriP what if someone hits you in the head really hard tho, you need a backup just in case. This comment is sponsored by helmets
I mean have you really delved into password management until you have Veracrypted a txt document?
I just wait until the junk mail I use as a mouse pad gets a hole worn into it and then write it on that and tape it to the wall next to my pc
I store my passwords in quantum superposition, I either remember them or not and I don't know if I do until I need to use them 😎
Schrodinger's Jelly
But if you don't that means a parallel universe you do.... what if he's working with the pigs snitching on YOU, or what if he was the hacker all along?
can't hack me if there's nothing to hack, can't break an enter if there's nothing to break, can't steal if there's nothing to steal.
I'm poor, pretty sure they would offer to pay me for a new identity.
oh nice me too! i just updated to v.20.1 do u also have that weird bug where sometimes another evil version of you comes from a parallel universe to attack your family? i thought the devs patched it...shame
Best comment here lmao
Can't lose your password if you never knew them 😎
@@cold_static the logic is flawless really
@@FrogsRgheyI use the same logic as a mechanic. Can't have a coolant leak if there is no coolant.
I'm a Chad forget your password ? clicker for login everytime sending proof of life everytime in a 48h+ process with their enterprise helpdesk
Ah, the old loop of resetting password everytime
Solid choice
Smart Chad move 👌
I loved it in Battlestar Galactica when they would make such a big deal about the fact that none of their systems were networked to each other - and the one time they did need to run a network, they treated it like the most batshit insane idea anyone could possibly have and as the most dire situation they could possibly be in.
If there’s one benefit to nearly being genocided by A.I., it’s that you sure do learn to respect OpSec right quick.
I write my passwords in a notebook. This is literally air-gapped level security and highly effective against cyber threats .
What about when policia come to your door
@@richardlyman2961They will demand you to hand over the passwords and bin you for terrorism if you refuse.
burn burn burn@@richardlyman2961
Keyloggers are practically the only cyber threat you have to look out for with handwritten passwords. Make sure to have up to date AV or keep root access pw protected if you're on Linux, and look out for any physical ones by inspecting where your keyboard plugs in occasionally and every time you use a public/lab computer.
How often do you change your passwords? And are they long enough?
In my opinion, it's best to educate on "good enough" or "reasonable " security. The best in class security which works well for high value targets is not necessarily the most appropriate for the average citizen. Additionally, no matter how good your password practices are, you are still vulnerable to attacks on the services you use, like a credit rating agency, online tax submission, insurance services, any business or utility that stores your credit card or has direct debit capabilities. Many of these services are difficult to avoid using too.
Perhaps we can teach people more about context however. Like don't keep your passwords for work in the same password manager as the one you use privately.
There is also the balance between security and convenience. Being logged out automatically from your bank after 5 minutes of inactivity is good, but perhaps you would be annoyed if your social media accounts did the same.
The same perhaps also with multifactor authentication.
All that being said, this video does have very good points :)
Buying physical gift cards with cash is a good way to keep your debit cards off databases
On keepass, if you have a secured printer, you can actually print out your passwords very neatly and organized if you fancy having a physical backup.
Ur printer and its software trustable?
"a secured printer" you guys are delusional. no one has hacked your printer.
@@omicronx94adding to this, ensuring it is not publicly wireless. turning off its wi-fi direct or embedded networks and preferably linking it over ethernet to your network rather than wifi is more secure. also, some printers have this “email to printer” function but obviously that goes through the internet. best bet for paranoid people is to have a vlan between the printer and the device where they can communicate but cannot access the internet. then after this step you burn your printer and send it into space aimed at the sun
@@omicronx94 you made me laugh)
@@omicronx94 some printers can store copies of printed documents by default
jokes on you I write my passwords in my walls
I also write my passwords in your walls
@@mgord9518
So _you're_ who that second set of passwords belongs to. That scraping gets very annoying in here.
Guys someone keeps writing funny words on my snacks i need help stoping it
Also worth adding the Ukrainian and Taiwan flag emoji to your passwords. This keeps you safe from the Russian and Chinese hackers who won't have them out of principle.
That's very comical but it might actually be true!
That sounds like some.made up soy-infused bs from reddit
...you have emoji on your keeb?
and then add Russia and China flag emoji next to 'em so Ukrainian and American hackers won't get you
@@slavic_commonwealthmight as well add a bullseye emote then cause that how you'll look to the CIA / FBI
Been using pass since 2013 and do not think I will stop any day soon. Simplicity always triumph!
Which can easily add two-factor authentication by using a smartcard.
@ Honestly never heard about that, I just use a private key.
It's a private key on separate card like a simcard but bigger. You can also use something like a yubikey that contains also a openpgp card. @@quidquopro1185
what is pass?
Ah yes, the well known program "pass"
E: the standard unix password manager?
Great to see that Jason Tatum is so knowledgeable about this stuff
Dude looks & sounds like Vegan Gains 10x more than that guy.
My favorite password manager is the combo-locked journal that never leaves my backpack, with cryptic riddles and secrets that need to be used for translating the passwords
keeping them written down on a piece of paper is more secure than many password managers, assuming you don't lose it
Yeap, my passwords NEVER end up on a digital device, ever.
That's what I'd do honestly and it haven't failed yet.
A) It depends on your situation a bit. Do you carry it on you? Then it could easily get stolen. Do you keep it in your house? Could still get stolen in a robbery, or abused by a family member or whoever else you live with. Most people can trust their family members, but not all. A fire-proof safe is a good idea, that will certainly be enough for 99% of people. If it is a good safe and not cheap junk.
B) Writing passwords down encourages the use of shorter, easier to type passwords than a solution involving copy and paste.
But depending on your personal threat model, a paper list could be a viable option.
Good points! I will say that the robbery thing is less of a threat than many think. If your little password book is non-obvious it's not going to be stolen. And in an in person robbery they'll generally be after immediate items that can be sold or used quickly.
I have hundreds passwords, whenever possible going from 30 to 50 chars long.
It is simply impractical to write it down.
Another thing to take in consideration is malicious browser extensions, both ones that present themselves as a password manager or connect to your password manager
Hey Mental Outlaw , do you have plans of discussing security on self hosted services ? ...
Id like to see this. I used to keep my keepass file on Google Drive then thought its probably NOT a good idea. Id much rather self host.
@@pureheroin9902why is it a bad idea?
There's a lot of self hosting channels out there. Just search hardening whatever you're self hosting
@@pureheroin9902resilio sync it to yourself, or syncthing
Same. The only thing is I dont trust myself to properly secure my system.
I like the convenience of cloud-based solutions. Tbh i dont have a problem with them if the client is open-source and I can verify that it sends and retrieves nothing that isnt encrypted locally.
thats why i use bitwarden. the client(s) and the server are open source, but they host their own publicly available instance. all my passwords are randomly generated so even bitwarden they get breached, im pretty confident the attackers won't reverse the hash
Every time I see Keepass I always read it as "keep ass"
My paper notebook has 3 defenses: a locked door, a dog, and a gun. Hack that glowie.
ATF grabs the gas
Doors can be unlocked without a the key.
A dog can be killed or bribed with food.
You aren't always going to have your gun on hand.
what if u leave ur notebook at home when ure not there?
@@deleted_handle all of that would apply to a computer too... except paper can't be remotely hacked...
@@deleted_handle stash that piece of paper in a crusty sock under the bed
bitwarden is the goat of password managers
I store my passwords on the tablets God gave Moses so I think I am good
Are the tablets encrypted? Asking for Aaron
I see you're a TempleOS fan.
I'm adding 10 commandments to my hash cracking dictionary, thank you!
@@nobodytrulyimportant comedy
based
I actually remeber all my DIFERENT passwords as my insane brain is the safest software I know of
Based
For me the way to remember my password is to follow a format. Yeah if one gets compromised the same format can be used to access my other accounts but I use different nicks I my password for it.
my exp rates go up 10% every time mental outlaw uploads.
MY LIFE IS LIKE A VIDEO GAME
How's notepad in a veracrypt container?
Cloud based has a purpose. It's to build and update someone's dictionary db.
TRUE! it gives ammo to our enemies
A video about how to securely use your android phone or overwrite it like with tails for example etc would be handy.
buy a phone that supports any other version of Android, install the OS, use it. That's quite simple. Oh, and remember that Android (as much as iOS) is not secure by design. There might be some software that tries to encrypt some data, but it's hardly possible to have more privileges than the OS itself.
@@pyqio so, Android is one (if not THE most) of the most secure OSes according to some dude that works on either tails, qubes or whonix, he's done some deep dives on this on dread (could be a glownie tho). Apparently since the beginning of Android every app has been compartmentalized into an isolated VM (makes sense, I remember the whole dalvik VM fiasco) and nowadays all phones starting from Android 8 have full disk encryption
Wether your manufacturer pozzed the ROM/encryption or not that's a whole different thing, but if you run AOSP there is nothing pozzed there.
Also sorry for the vagueness it's been around half a year or so since I read the info, it's not fresh in my mind
Man I gotta say this. But when I see your face and hear voice there's just something pops up inside of my heart ❤. Love you so much.
0:26 Flamin’ hot security
Not watching but the trick is to have a password you use for everything. You’ll use that as your second half. The first half can be stored in a password keeper. This way when you autocomplete your password there’s still a bit of manual work to do to get logged in.
Friendly reminder to backup your keepass files to the cloud/NAS (preferably in a encrypted 7z folder)
Can keepass read and edit the file inside the 7z? Or do you have to take it out every time
The database is already encrypted with your master password. No need to encrypt it again.
@@W4nn3furthermore if your nas supports SED, use that. makes your drives encrypted on the fly so even if the nas is physically stolen, nobody can even see what files are on it to begin with so they won’t know you’ve got a keepass database
@@W4nn3 nothing wrong with multi layer encryption, also super useful for compartmentalized databases
you dawg I heard you like encryption so I put an encrypted vault in an encrypted vault so you can decrypt while you decrypt.
Eh, idk. This meme has better uses.
You say not using a password manager borders on insanity... but 90% of websites you need to log into are junk sites that I dont care if the "password" I use gets leaked and they get access to all the other junk sites. For the accounts that matter, I've got separate passwords for, and there really isnt that many, I could count them on my fingers.
yeah, these junk sites together can build your entire identity and give a lot of information to the hacker, so it would be easier for him to get a password for "main" accounts. @mantyy
This video doesn't really talk about the other side: end user compatibility. A regular user does not know how IT Security works nor should they need to know. If we want those people to use password managers they need to be easy to use. This includes being able to securely sync them between devices without having to configure anything and without having to set up own server infrastructure. A keepass file on a Dropbox share is reasonably good. But it also needs to integrate with your browser (unsure if keepass supports this).
And honestly, even a proprietary password manager is better than reusing the same password for every website, which a lot of people actually do.
I personally like Bitwarden because I feel its the best of both worlds.
Its code is available and auditable by anyone who wishes to look at it. In that way their zero-knowledge approach can be verified. As we're learning each and every month it seems that with LastPass, sometimes zero-knowledge doesn't mean the same thing to proprietary platforms.
As I obfuscate my usernames for some things too, it was very alarming to me to learn that attackers had access to all of them and explained why my bank account kept getting locked out due to password guesses despite my username being a combo of my initials and a string of random numbers.
Browser integration is not really needed for keepass if you set up autotype correctly. The approach of keepass and remote storage is amazing as a tradeoff between usability and security. I do that as well but instead of cloud storage i have it on a host on my local network accessible with a vpn.
@@banaantje0456 that works well for someone like you or me. It doesn't work well at all for someone like my mother who doesn't even have a clue what autotype is, let alone how to set it up.
Also proper browser integration is great protection against phishing, because it won't let you use the password on the wrong website.
KeepassXC has great browser integration
I love my password manager, aka my arduino that emulates a keyboard and typed the same password every time it’s plugged in
I like your club penguin shirt
Very secure (notebook on my desk requires physical access)
Just make sure the pages stay out of view of any webcams
@@eldnahym Don't use one.
In my last company we were considering a cloud password manager. We decided not to. 5 Months or so after said service was hacked.
Lastpass moment
I'm sure others use the same technique, but I've learned to type in a certain way so that I could just remember a phrase as my password for any given login and then type it quickly while the end result looks nothing like the phrase I memorize.
This video wasn't what I expected and it's useless for my needs❤
First time I actually see in one of your videos a vuln that I have used to complete a HTB machine, specifically one called Keeper.
It was so satisfying to see that and be like "oh, oh I know that one, I've already used it to hack stuff".
I just wrote my own password manager, it is really quite simple to do if you understand using simple encryption libraries (just wait until those become vulnerabilities ).
It stores all passwords in an encrypted file, which you unlock with a master password, and can also encrypt each entry a second time with a different password. You can also store other files, and just plain text in this encrypted database, and you can generate new totally random new passwords when you need to change (as you should regularly do). Really is quite useful.
Keepass has most of the same features, so I say you did a good job, bravo on the storing other files part. I don't think you can do that in KeePass actually.
@@adamk.7177you can store other files in keepass if I remember correctly
But did you implement any process isolation features?
Things like running in a secure desktop and with a different SID
>I just wrote my own password manager
i did it too lol, but dont use it since i fear it bugging and im not a good developer
@@adamk.7177 , I think you can, actually, at least in the android version, I recall having something like that.
I use bitwarden with the anticipation that ill self host at some point.
I use both Bitwarden and Proton pass manager. 👍
I was wondering, what about bitwarden? Sure it's cloud, but it's FOSS
Jason Donenfield? Yes, this is the same man behind Wireguard!
I trust these hands more than the cloud
Selfhosted Vaultearden, syncing only when im in the local network. Kinda works like a pseudo-sync.
I’d rather be responsible for 1 single .kdbx file than need to self host an entire backend server infrastructure.
@@Jordan-hz1wr while that's true, I maintain a password manager for like 15 people, and have a local dns, local mail server and everything. vaultwarden makes selfhosting super simple (literally a docker container)
you're not schizo enough, then. @@Jordan-hz1wr
TH-cam keeps unsubscribing me from you, why, this is one of my favorite channels on youtube, youtube stahp
I haven't read the CVE thing, so I might be talking about a different thing. I think there's a scenario that it might be worse than just corrupting the DB: the attacker can change the master password and then copy the database file. This way, they can unlock the DB file later and gain access to your passwords. If they create a backup copy of the file beforehand and then restore it, one might not even be aware of this happening. A way to mitigate this would be to require the current master password when there's a request to change it, even if the DB is unlocked at that time.
A simple user defined timeout feature could mitigate the database being left open for a length of time. They can corrupt it all they want, as long as you have a couple of backups in different places.
@@BillAnt And what would be a sensible timeout that on the one hand mitigates the problem and on the other doesn't make the UX unbearable?
@@IvanToshkov- That's why I wrote "a user defined timeout". Anywhere from a minute to an hour, whatever you feel comfortable with.
My password manager is my brain. Good luck hacking into that
one wrench costs only five bucks
I have been using a Kingston DataTraveler USB stick and KeePass portable for about 10 years.
…and for the mobile phone?
@@capitolia The only passwords saved on my phone are for Discord, Brilliant and Disney+. Yes, a long time ago I had to type them in manually. My approach is to keep important things as far away from my phone as possible.
A self hosted password manager is doing the trick for me.
Title reminds me of, "What color is your Bugatti?"
JT doing side quests
never thought I'd see jayson tatum telling me about password managers but here we are
Text editor does wonderfully for me
I made my own terminal based password manager with 256AES encryption that requires a specific usb to run
In my family everyone has an unhackable password manager it's called a notebook, but then it's useless without the second part that I keep encrypted on my pc in a simple cmd program I made using off the shelf crypt programs, You put in a master password, then the notebook password and you get the second part of the password
Very informative, thank you. I don't know why I never considered that there could potentially be a program that reads keyboard inputs. Having something like that sending info back is wild.
LOL! Love the Cheeto dead bolt!
My password manager is a book. It's much harder to gain my passwords if you can't gain them by hacking into a password manager and can only get them by physically committing theft.
your videos have gotten a lot better over the years! gg!
"Old Man Yells at Cloud"
You can roll back your database with gdrive. Did it a couple of months ago when it became corrupted
What is your opinion of the trend of moving to passkeys?
*laughs in a sticky note attached to the monitor with the passwords"
Thank you Jayson tatum
What would you say of something like Bitwarden, which is open source, but still cloud based
It's still someone else's computer.
@@kaper-sd9qx If it's on the internet it's a target. If they turn off their PC, you lose access. You don't know them, you shouldn't trust them.
This video is titled "how secure is your password manager" cobsidering i dont use keypass, this was a total waste of my time.
No, it isn't.
I belong to the piece of paper and a pencil gang
Well, you could write down your passwords and store it in a safe deposit box as a backup.
I dont understand people using password manager. So to make it harder to get your passwords, you put them in an online source, and you bundle all your passwords into one single password. Makes sense?
Google Password Manager is cool
So what is the bottom line? You kept mumbling about vulnerabilities. What is the solution for the average user?
The virgin proprietary password manager can't even touch the Chad having no money to steal.
I can be a password manager too, just send those and i'll keep them secure
Or, hear me out, you could just not use a secondary program to store your passwords and just write them down somewhere physically? People can’t hack paper.
Ever heard of the wrench hack?
@@travelfar4230 like a computer hacker is able to interact with the real world lol
Depends on your threat model. If you live in a country where the security services will happily break into your home and go through your things, you're gonna want another solution. But if your home is secure and you're mainly worried about online attacks, then paper is alright. Just make sure you have an offsite backup in case of fire - might be a pain keeping that in sync. And password managers have other useful features like auto type - that allows you to enter your password in a public place without worrying about people shoulder surfing, not so easy with paper
And bring them everywhere you go? So that when someone sticks you up for your laptop bag - they get everything? Great idea.
@@holdenwinters68 why would you keep all your possessions in one bag
What do you think of Bitwarden?
Jayson Tatum?
I dont know why I ever thought you a white man in his early 40s who has been in the IT space since 2005😀. Keep up the goood work, man. love the videos
If you're going to use a Password Manager, it's best practice to modify the saved password by adding or removing some characters. When you need to use a password, adjust the characters as needed. This way, even if it gets leaked, the password won't work for anyone else.
So like weakly encrypting it before storing it?
dont agree at all. its way better to use your password manager's password generator. When making password i usually set the max character limit that the site allows. sadly some actually cap you at 15 char passwords.. in 2023. some sites tho i have a 99char passwords for bc why not. if site gets breached. just change the password. rinse and repeat.
@@mtk3668 Yeah but I think the OP is still saying to use that, then change some characters by a method you'll remember so that even if the password manager gets hacked then you still have another subtle layer to the real passwords in use
@@mtk3668wrong. Original post is the correct way to store passwords. Password manager has first half, your brain has second half.
I was pleasantly surprised when my local country taxes website allowed for 256 long passwords… keepass autocomplete go brrrrr
You guys don't write down your passwords on your hand with a a sharpie?
pen and paper currently, but I write them encoded using an algorithm I made up so i don't have to worry about it being stolen
Yes, you add 1 to the ascii code . We know that trick
Self hosted Vaultwarden here :)
imagine not having the option to save a keepass backup everytime you save enabled. an attacker wouldnt be open to lock you out of that one. but then again, if the dude is already on your pc he could do about anything else
fyi i also use the yubikey but its hmac sha1 and i dont know if that's still secure. combined with the static pwd maybe
Mental outlaw. I know you talked about other companies that seem to do a very good job protecting passwords that you have used.
I just have a question about Kaspersky password protection? Has there been any leakages you know about or data sharing?
Ik its a russian company but online I can't seem to find a genuine article talking about data breaches other that redditors going dumb and scaring others using "I have heard statements than facts" in password manager.
Would love an insight or video on this topic, please 🙏
I started using buttercup after seeing an article about a new open source password manager. If it weren't for that article, I might have stuck with a plain-text file.
I'm a web dev and my next project is a open source, web based password manager. It's probably not going to be amazing but It my data on my software on my hardware on my network.
I use pgp, got a simple bash script to encrypt/decrypt files on the fly. I back up everything multiple times.
Password and salt are on notepad, just a bunch of word and number, I encrypt it in my head using my own variation of ROT 13, and use the result as my password, nobody expect people to just calculate everything everytime they want to enter a password.
My brain is like an enigma, good luck looking find my passwords
Cant read the storage medium and doesn't need internet or a computer to hold the information
Keepass ftw
I remember having a discussion with the previous system admin to my current job about password managers. He was telling me how awesome this one manager was and of course it was all in the cloud. I looked at him and said someone else knows your passwords.. He laughed and said no they don't because they keep it encrypted and it uses ssl. Even tech people can convince themselves of false security when they should know better, this is why I try and self host everything. The cloud is not secure and the whole idea of keeping passwords there really boggles my mind why anyone would think that is secure...
My bunch of sticky notes is my password manager 🔑
Heres how you can be really jacked and remeber all your passwords everytime you forget a password the one push up this will make you stronger then the rock and give insane memory power makes you stronger and smarter LMAO
Why not just use USB stick to store your passwords?
USB sticks fail often. Back up to at least more than one storage device if possible, preferably an external HDD for long term storage.
@@adamk.7177 do they though? I have usb sticks and even sd cards over 10 years old now that've outlived hard drives, external ones too lol.
I just meant any jump drive@@adamk.7177
I use passport, it comes with Gryphin Router. It's a block chain storage container
I have a manual / offline password management that uses an algorithm thats easy to remember on top of that combined and is kept in my wallet (and other locations, in a 3/2/1 backup style) and even if people get hold of the 'card' they cant decrypt because they dont have the memorised algorithm ... if *any* part of the system is compromised (any 1 of the 3 parts) it takes literally *minutes* to re-create a new 'system' and change all passwords and the old 'parts' are made useless.
vaultwarden goated
A video on passkeys coming?
Doesn't matter what password managers you use, remember to shuffle it all once in a while.
My personal favorite password manager:
The 5gb LUKS partition on my server