How Password Managers Work - Computerphile
ฝัง
- เผยแพร่เมื่อ 14 พ.ค. 2024
- Password1 is a terrible password, but how can I remember different secure passwords for each login? Use a password manager. Dr Mike Pound explains how they work.
How to Choose a Password: • How to Choose a Passwo...
Password Cracking on a 4x Titan X Beast: • Password Cracking - Co...
Securing Stream Ciphers (HMAC): • Securing Stream Cipher...
/ computerphile
/ computer_phile
This video was filmed and edited by Sean Riley.
Computer Science at the University of Nottingham: bit.ly/nottscomputer
Computerphile is a sister project to Brady Haran's Numberphile. More at www.bradyharan.com
Dr. Pound is one of the best presenters......his dryness is also absolutely hilarious. LOL
Ok, so WHAT WE'RE GONNA DO, right? Is this..
@@BlueZirnitra HAHAAHAH!!!! I think he's likely as awesome lecturer as well. Would love to sit in on one.
Pound that like button for Dr Mike
Swipe650 not gonna say what I was thinking. Nope. Just gonna walk away from that one.
@@abandonedmuse Pound Dr Mike's Button perhaps?
this is The Lockpicking Lawyer and what i have for you today is the concept and function of the password managers.
Very funny 10/10, off to Edinburgh now!!
A little click out of 1..2...3,..., 256 aaand we got our AES-Key
Meta
Nothing on ksda34bw4t4748797sjTe.........nothing on WxB7ww3n7464se4etesimyf8e4qwq.............
*50 million years later*
💡 Security tip: Do not store email credentials in the password vault, in case it gets cracked you still have your email secure to retrieve all of your logins...
vault*
Edit: it's been fixed :)
Not bad advice at all.
Thanks... corrected
@@BattousaiHBr or... use MFA(2FA) on your PWmanager
who in the world should hack my password-vault keepassxc? how?
Just remember people, if you get an email that seems to be from your password manager saying that you need to "verify" your account and they need your password, or if they ask you your master password for whatever reason, DO NOT send them your master password, don't click the link and report the email as a fishing email! It's a fishing attack! Your password manager should and will never ask you your master password.
If you used KeePass or Password Safe. That is not an issue now is it?
Phishing*
Personal bookmarks.
4:55. True explanation starts.
5:25. Two derivations from the password.
5:47. Master password authentication; how it's used in the grand scheme of things.
6:31. How LastPass creates a master password; appends email | master password; hashes this many times.
8:36. A main idea!
9:06. Difference between OnePass.
"Go and animate that."
What about "password321"? I bet that one's rock solid, but I can't use it now because wanting to share my brilliance has foiled me yet again.
A scammer once created a profile for something without my consent and put the password as "123456". I changed it to something really complicated that I would forget.
Don't worry, hunter2 is the best password
Dont you just hate it when that happens.
You are your own nemesis
Password321 for extra security
Would really love to see an actual programming language or any subject tutorial from Dr.Mike Pound. love the way he conveys knowledge, so easy to understand.
i’m r que le hemos
So much less stress watching these out of interest and not as part of a cramming session.
@Sassy The Sasquatch You would be surprised how many exams and tests people (including me) manage to pass (hehe) by learning from YT videos.
Tip of the day: always use 2FA if able. Thanks to that you can add an extra layer of security on top of your password manager.
Also turn on an app locker or app blocker on your android device. It is not encryption. It is a stop gap to hinder casual or criminal intrusion.
James Edwards And how would that differ from just using a device-wide code?
@@GRBtutorials App Lockers are typically integrated into the application. App Lockers are also associate with android antivirus software.
Note: The ones I will be referring to unless stated otherwise. Are the app 'blockers' associated with android devices via third party antivirus security programs.
It is not encryption, more of a stop gap measure.
For example, let us say I am on a train and I setup an app locker. Somebody runs off the train and snatches my phone in the process. However my phone is not locked. Most of us do not completely log out of our phones' mobile apps.
Keep in mind unless you are using an application specific locker. This just prohibits them from interacting with the application directly. The application is indeed 'open.' A decent hacker could bypass the app locker; or blocker as it should be commonly called.
This will give you time to lock and wipe the device.
Keep in mind you can find third party 'standalone' versions of this.
My personal recommendation is that is if you are out on the town. Try having two that overlap with each other say in 1 minute and 30 second intervals. It will make it much harder for a common thief to access your applications buying more time.
If they keep your phone active the phone will not lock until you get to a computer to remotely do it.
I use KeePass and for the most important passwords I also include a last sequence of characters which I memorise, then even if someone has access to my database they won't get the whole password.
The double blind method is efficient.
How much more tractor feed paper does the computing department have from the 1980s?
See that storeroom over there? .......
That storeroom is where we keep the list of storage locations for the paper.
1:05 Who is Kate? Is Bob cheating on Alice?!
yes
ProBob drama ensues
It's his and Alice's daughter. He loves his daughter.
@@josue_mejia ^ So he's bangin his daughter? Seems legit.
@@jmullentech this is not game of thrones
I would love to see an open-source password-manager core, and the companies use this core on their services, just like Signal does for messaging. This way we can be more confident about the implementation details of those architectures.
Bitwarden says hi
For those hailing from the future, which is unlikely given the age of the video but here's hoping.
You can use KeepassXC or any KeePass variant as a password manager without sync, then use Syncthing to sync the vault across devices.
No server needed!
I maybe understand 10% of what Dr Pound is talking about but he does it with such a passion and enthusiasm that I´m still clicking on the videos when I see his face.
You can look up articles and academic sources while you are listening. It is what I do. I am not an expert either, but I made some remote effort to understand.
Well, I use my password manager for most things but I'm a bit paranoid and I do have 5 passwords that I just remember: Laptop, bank, email, phone, and. of course, the password to my password manager.
(I guess phone and laptop are also practical; can't get to the password manager before I turn them on anyway!)
Same here
Not that you really need to even worry too much about the strength of your laptop or phone passwords. If someone has physical access to the device, all bets are off anyway. They don't need to ever learn your password to get access to anything locally stored on the device. Web-authenticated services (like your email) would still be safe though, I think (would have to see what is/isn't stored locally).
@@totlyepic Not *strictly* true, yes in the vast majority of cases 'if you hold the box you own the box' but things like fully encrypted drives, full secure boot / locked bootloaders, etc. mean that data can still be secured!
Plot twist: “Laptop”, “bank”, “email”, “phone”, “and. of course”, are the actual 5 passwords he’s using.
You are being logical. I do not remember my bank password, but more logical than most I have encountered.
Was really happy to see a video about password managers featuring Mike Pound. 😃👌
Very simple way how to vastly reduce possibility of damages when your main password leaks - when creating password for some site, let the password manager generate a strong password, save that to the password manager, but than add some static part at the end of the generated password that will be saved to the actual site but not to the password manager. The part you added will be the same for all of your saved passwords and you will have to remember it.
This way, even if your password DB leaks somehow, the passwords themselves wont work and it still keeps most of the convenience of password manager.
elukok thats very clever!!
That's a fantastic suggestion. I'm definitely going to start doing that.
really like the continuous paper for illustration. used it 30 years ago to print t-accounts. btw great series
Super awesome! I love password topics covered by your channel. Please more. Thanks!!
Also: A recommendation which password manager Dr. Pound is using would be great!
Michael Hammer That would probably be a security flaw in and of itself. You probably don’t want the whole world knowing which service you use, as they may start trying the “forgot password” tool and possibly get in.
I've been through a few password managers (LastPass, 1Password, KeePass, and even storing a text file in a TrueCrypt/VeraCrypt mounted container) and found KeeWeb to be the best balance of security and useability.
I was hoping to see you do this topic, thank you :)
Mike Pound is the best. Love this guy.
Whenever I see the computerphile video finally has Mike back in, I'm always instantly clicking
You could have just said "I'm a simple man. I see Mike, I click".
@@chicoktc I'm a man of taste, I form my own answers ;)
The key (get it?) is not select a password manager which will not entrap you to a perpetual subscription to function. e.g. they keep your vault in their paid cloud service. You don't want to be caught out that either a missed payment or the company having an operational issue separate you from your password vault.
Always select a product which allows you to control where the vault is. e.g. I use 1Password but elected to use a local vault and then I use Dropbox to sync between devices. If I decide to use another cloud storage provider, I can move the vault freely.
Also, most of these products don't read each other's formats so you can easily migrate between products should one raise their prices or go out of business, forcing you to start from scratch.
Customer lock-in is evil.
Agreed on your concept of customer lock-in. Almost all password managers, however, have the capability for you to export your entire vault into a file, which can then be imported into another password manager. As a matter of fact, I don't know one that doesn't have this function, although I'm sure they exist. If they do, those are the ones I'd never use.
I try to support open source software.
Gregory Booth It may have an export function but more importantly, how can other products import the data? The database schemas are different. The devil is in the details. If you have to tweak a large number of imported entries then the “feature” isn’t really a feature.
@@lohphat The data is 'decipherable.' KeePass (depending on which version you use) allows you to export as customized .html file. Yes, I would have to 'reconstruct' the database. However it is salvageable. You should be backing up your database in different formats for logistical reasons every time you backup the file. The 321 rule of backing up still applies. Three different copies. Two different media formats. In this case types equals file types.
KeePass allows you to 'print' your password database file. Microsoft for example allows you to print to .pdf format and .xps format. You can also save screen captures of your database if you want to take the time to do it.
- Not to mention the numerous applications that allow you to export, print to, etc.
You should be saving the last few versions of keypass on a disk somewhere. So if you 'need' to port the data. You would still be able read it. It is all about redundancy.
I don't really understand this. Where would you put this vault like on your MacBook, or external hard drive? And how do you secure it there? Trying to learn, but I am new to all this.
I love this man and i love how ambitious he is about IT things
KeePass would be the best option here. It was audited by the EUFOSSA project. No Cloud to worry about, all local. You can save it anywhere, including the cloud if you wish. If you really still want a cloud based manager for convenience, Bitwarden is the way to go. Thanks for the video!
I like to use keepass with syncthing to keep everything up to date, but you could use other foss tools like rsync or nexcloud
Always enjoy these videos. But can you talk more about account recovery keys? Or master decryption keys and how they work. A lot of these services have methods to recover your account incase you lose your master password with master keys, how do those work?
You can use KeePass with the IOProtocolExt extension to sync it via WebDAV with various cloud providers. It even provides synchronizing if the KeePass database was updated on the server
I have it set up so whenever I open KeePass it prompts me for my password which is stored remotely on my Nextcloud server. It retrieves this password database via WebDAV. And each KeePass installation has a separate key in Nextcloud so it can download the file.
The password database file is also locally stored using Nextcloud client, but it is safer and faster and safer to write to the database via WebDAV.
Thats the beauty of Keepass. You own it completely and use it however suits your use case. I have my devices (laptops and smart phone) sync the keepass vault via a backup copy on my home DNS server over sftp, but only from within my LAN. My devices don't sync when I'm not home, but it means my database never leaves any of my hardware.
You say there are three methods of keeping passwords, writing down, same password, or password manager. The best solution is to create a very simply formula that you can easily remember that creates unique passwords for each website. Off the top of my head, some base password that is easy to remember + some easily repeatable function (rule) that spits out a few characters to add to the base password. A hacker would have to have 2 hacked passwords + do specific code cracking to figure out your function
Brock Elmore This is actually a smart idea.
I use a password manager. But I also use/have used another system that have made me have unique, complex passwords for every service, that I remember and dont write down. I simply come up with a default complex password. Then I incorporate the service in question in some decided manner. One example could be the domain name perhaps with alternating small and big letters and some letters exchanged to numbers.
Now when you reach a site you will know your unique password for that site simply by knowing the sites domain name and your own personal rules for your password.
A password manager sits above all browsers that you may have stored different passwords for you.
It's also sits above all devices that you may have for example between Operating systems, PC and mobile devices.
A video on how masked passwords work would be awesome!
@Computerfile: I feel that trusting larger password managers with sky storage is not about trusting the company to do the right thing. It is more about betting on who will be winning the fight when they make themselves a target, since many people will have a huge interest in gaining access to such information. They could become compromised by hackers employed by criminals, governments, or other people in power. Even while the cryptography is strong and sensible, other stuff could still happen, like modifications to the client software which would act as a trojan and not only protect the passwords as regular, but also supply them to a third party. But you are right. For everyday Joe the benefits of a non-effort password manager outweighs the small risk of putting all eggs in the same basket when the security is so strong.
If you do not trust cloud password managers. Other options then encrypt those files.
Again, there are so many options, free, paid, or open source.
Being a software developer, I really like Pass. It's open source and leverages GPG and Git -- two things I use every day anyway -- instead of reinventing the wheel.
KeePass?
No, passwordstore.org
Great insight. Password managers stop repeat passwords and show you when you add a weak password.
I use HMAC to deterministically generate my passwords (master + domain) every time I need them, but then I use LastPass on my phone for a few passwords for fingerprint auto-fill convinience.
Will there be a followup episode on how the 'master password recovery' procedure works in those kind of solutions?
*T-Mobile Austria has left the chat
It depends. For instance, I use KeePass. If I forget my database password, I'm 100% SOL, whereas LastPass does offer recovery. I would argue that this is a security weakness, since then there are options for malicious actors to access the password DB more easily. So while I do maintain a cloud-storage backup of my password DB, it is protected by multiple passwords- the unique password to access the cloud service, and the unique password to unencrypt the password database. While a breach may be possible, it is still more secure than having a recovery alternative. And the likelihood of me forgetting the KeePass password is nonexistent, since aside from my phone unlock password it is the most frequently used password, and if I forget something I'm typing several times per day I likely have larger problems.
With google your devices are part of a sync to where they all store your data. In what way they are encrypted in storage I don't know but it is NOT based on your master password. Thus resetting the master is just a matter of creating a new cloud sync with the existing data on the device.
@@zrobotics Hi, zrobotics. I'm a new KeePass user. Where or how have you been backing up your KeePass database and private key? Do you trust backing them up to a web server or cloud storage, or have you been keeping them on offline harddrives?
I'll just say that I will never trust my passwords, password vaults or personal data with any company, individual or scheme that offers something along the lines of "master password recovery". If anything even remotely close to that is possible, it is, in security terms, a situation equivalent to storing all of your passwords in cleartext on a single server accessed by arbitrary people.
I have a some methods. I already do this so it's pretty safe.
Method1: Map all the English alphabets to some unicode characters that which you can remember. Basically you invent your own cipher. Then create some app/program in c++, rust which can convert any english txt file to the unicode mapping txt file. Print it on some card and keep it in your purse.
Same can be written on paper. Only you can understand it.
Method2: Put all your secret stuff in a file. Encrypt it using some program or your own custom program. Keep the program binary in private github repo. Deny all outbound connections in your machine. Keep the encrypted txt file anywhere you like, can be gmail.
It's takes some effort to protect valuable things. Don't go for easy options.
Password1: 10 IQ
using a password manager: 100 IQ
1drowssaP: 1000 IQ
Another option is using a long structured password with small variations. That way they are all different yet easy to remember.
Example:
Service: TH-cam ---Add 1 letter---> Zpvuvcf
Base password: Something_With_"$%&!"_and_"134679"
Then you merge them:
Something_With_"Zpvuvcf",_"$%&!"_and_"134679"
So there, you have a somewhat secure password and easy to remember. You can make it longer, shorter, with more simbols or mess it a bit up. Also, as the letters seem random, you don't need to worry (too much) about someone getting the plain-text password in a data leak. Most likely no one will understand what "Zpvuvcf" means.
+1 for KeePass mention
Your email is used to reset so much stuff. If any of your passwords are unique and secure, it should be that one
This weekend i started a pw manager and bought a server to host a git repo. Im using pass for linux. I thought i was being re-marketed and then saw the date on the vid.
It works too. pass git push/pull and boom.
How would you feel about a user utilizing a local password management program and merely saving the file on a dropbox, Google drive or similar? sort of a deflection of the concern of a big target on the back of Dashlane et al. at the expense of a little less intrinsic security
Back to passwords!! Brilliant
I see Dr. Pound, I know I am about to learn. I tap the like button, tap the play button, and commence learning.
Y'all should do a video on the OPAQUE password authentication protocol!
Choose a password manager that supports security keys like Yubikey. That way an attacker not only has to guess your master password, they also need your physical key to authenticate.
I am a simple person. I see Dr Pound, I click
Most of my important password protected online services require me to enter a small subset of the characters, often using pull-down menus. How do password managers cope with that? If I have say a 20 character password am I going to have to count to the 7th, 12th and 19th characters of a displayed password in order to enter them?
I have two passwords written down in a notebook, hand-encrypted (weakly, I admit, but I have to decrypt it entirely in my head when I forget one or the other of the passwords). One is for my keepass database, the other is for the cloud storage service (no I'm not telling you which one) I use for the sole purpose of backing up that database and transferring it between devices. There's a lot of other files on that cloud storage account, but they're all random data with similar filenames to the actual database. You know, for extra obfuscation.
I have a better idea. Use that code you wrote down as the second authentication.
What do I mean?
Do not commit your cloud storage to your head. It is a bad idea, because your cloud storage password can be 'compromised' any number of ways. Your keepass password, committed to memory is a lot harder. Put your keypass file in another file encrypted. Congratulates you created at least three factors of authentication.
One is your external encryption password.
Then you have your kepass password.
You also have a keyfile.
You are welcome by the way.
I've found syncthing to be a reasonably good way to keep my keepass database on multiple clients.
I wish this guy is a lecturer in my university. Dude is a genius.
Thanks for the great video!
I think I was looking into Keepass or similar cloud based solution (something with a browser plugin) & saw they have the "forgot password" functionality like you see basically on every site.. How is this even possible?
So, you have your whole vault encrypted with the "master password", vault is only decrypted locally on server is stored only encrypted.. but that "master password" is also your login password for the site..
And if you forget it .. you can change it?? That means IT wasn't the actual key used to encrypt the vault, right? I know they mention something in the video with key derivation & concat with email then hash. But still..
I think KeePass is the best solution. You have control of the vault yourself and you can have two different keys for the vault - you can have a keyfile and a master password that are both required to open the vault. This means that you could sync the vault through online services, but only move keyfiles through offline methods.
Also, another thing you can do is have different vaults for different levels of passwords. For example, you could have a vault that only stores your unimportant forum logins and what not and then have a separate vault that includes more important information.
Or you could use Bitwarden and be your own cloud
Offline solution is just too inconvenient for the average users.
I have no argument, thank you sir. :) .
Please take about the graphical passwords vs textual passwords which one is more secure and power full..... THanks wonderful job.....Keep going.....
SharpScripter The only "graphical passwords" I have heard of are basically disguised onscreen 9 or 12 key keyboards with limitations in what numbers you can enter. So really weak passwords for people who don't read so well.
Graphical Passwords?
So what password manager does he use? That would be interesting!
I use keepass2 and make backups (4 different local locations on flash drives with obscure filename) EVERY TIME I edit it.
Okay. But if KeePass decide that the project is too much and server costs are too high, and shut down, I can keep using their program AND I can get all my passwords back.
A cloud service? Isn't free and is a weak link in the chain.
If you want to use KeePass across devices, employing a well-configured gdrive and Google's Backup and Sync (or another cloud service), will ensure all your devices keep their key vaults up to date.
LastPass is service as a software substitute.
If you're using google drive, what's wrong with just using google's password manager?
Keepassxc file inside encrypted file container + mega.nz cloud is a great option. The keepass file is encrypted, the file container can be encrypted with multiple layers using different methods, the cloud account is encrypted, and also free.
@@JNCressey it's Google. Most people don't trust Google or Facebook.
@@ashishpatel350 With keepass you can encrypt your DB with combination of password + keyfile. Sync your DB via google drive and keep your keyfile out of it. I think even google would have problem cracking your DB without keyfile.
All these Password Managers were far to complex for most of my family who didn't understand many of the features and just wanted something they could use easily. My Password Book for IOS devices was ideal and did not require any third party registration.
No disrespect at all. I am a blunt person. Again no disrespect intended.
The flaw with using built in browers password managers. Is that if the account is compromised. The passwords are compromised. That is not the same if your use a program like keepass or password safe. Even if you choose to use a 'retail' password manager. That is at least a seperate account. On a seperate service.
Also based on my personal experience, reading, observations. Your statement suggest that their passwords to their IOS accounts are garbage.
Unless their elderly. Have memory issues. Or the like. I would never recommend it to anybody.
I have known, conversed, or read about people. Whom have had their password managers hacked. Most of the time. It was due to poor 'basic' security measures. On top of that. Garbage passwords. One thing to get hacked. However I am tired people telling me. They were hacked, but the adversary did not have to put any real time or effort into it.
Thank You Dashlane ...
Everyone is mentioning keypass as their offline password manager of choice, but I personally am happy with (gnu) pass. I like the convenience of my gpg key being my master key and syncing across devices using git.
You can just sync the file with any number of cloud storage services. Across many devices. That is why many of us use keepass.
KEEPASS. Yes, if you are foing open source. It is one of three.
I just sync my KeePass file between devices via cloud, that takes care of the convenience part. And my phone undoes its one million times AES in a few seconds, so the argument of client vs. server power seems weird. I don't think it was that different 4 years ago.
Is the automatic login from google chrome or samsung phones also some sort of password manager or do they use different (less secure?!) methods and are not advisable?
I use a self-hosted Bitbucket container on my file server. If I need a password on my phone, I can VPN into my home network and get whatever I need. A few extra steps but it's not too bad. I used KeePassXC (I think that's what it's called) for a while but I wanted something multiple devices could potentially access at the same time.
??? That would mean you are sharing the data. It would be efficient to store backups of the keypass file on your own server. Then if you needed to retrieve it, then just do it. Also if you needed to backup the file. It is done.
If you're worried about a password manager breach, just encrypt all your passwords by hand before storing them in the password manager. Sure, it's more work than just keeping all your passwords in a handwritten book, but you also get to show off how cool you are to your friends.
"encrypt by hand" - surely you're joking
I can not tell if you are joking or not! What, that does not make sense on many levels. In case someone is seriously considering writing down their passwords in a book.
1) First off, one of the important reasons everybody recommends a password manager. Is because the software can create a completely randomized password. Encrypting by hand involves your human brain. Which for this tasks is way more inefficient.
2) Books are not bad things. I cringe to this day when I see somebody throw away a book. The problem is storage, security and convince. Software is superior.
@@jamesedwards3923 Yeah it's a joke lol. The actual secure way would be to take the generated passwords and write them in a book. You'd still have to keep the book secure, but that's usually not a problem.
@@OceanBagel you'd think so, but somebody stealing your password book from your home is more likely that somebody breaching a password manager.
Second factor + master password!. I think that should had been mentioned. Tho still pretty bad if someone gets on your computer.
Help! For what master password entropy should i aim, if i use AES256 to encrypt my database ?? is it 128 bits enough or should i go for 256 bit master password?
Is it true that a quantum computer can brute force a 256 bit master password with grovers algorithm with a final strenght of 2**256/2 combinations??
I use KeepassXC and it's quite convenient. It can perform autotype, that's all I need. The database file itself is synchronised between my devices using owncloud.
FYI: You could use "syncthing" instead of "owncloud" and drop the php/javascript dependencies. It should run leaner on the machines.
Thanks for your recommendation, this project looks quite decent. I use owncloud for calendar and contacts as well, so I'll probably stick with that, but thanks anyway.
Yeah I heard something like "You can use KeePass at the loss of some convenience" but I didn't understand what the loss of convenience was? AutoType based on window title works great and is SURELY safer than trusting my browser / plugins to not have any security holes?
As a modern, cross-platform, drop-in replacement for KeePass, I'd recommend KeePassXC.
Mike: not "correct horse battery staple"
Me: ...damn
XKCD: Told ya..!
Love the nod
*Master Password* is a great password manager for those who are extra paranoid. It's free as in freedom software (so not _just_ simply open source), and it will work even if all your devices simultaneously combust or something. It _generates_ passwords based upon your master password and name. This means it's not stored on some cloud service where the NSA has full access to it, and it's not even really stored locally.
But if i remember correctly then you can't change a password, only all at once?
@@KanalMcLP
Nope. You can just increment a number associated with that site/user and you'll get a new password. To change your master password however would probably require all passwords to change.
Isn't keepass better written with way more functionality?
Remember one good one for your main email and have password manager for other sites. If you lose the password manager, you can easily just reset the password with your email.
Even if someone gets into your password manager account, 2FA would prevent them from accessing your more sensitive accounts. In that way it acts as a sort of first-responder to potential breaches, letting you know if it's been compromised if someone tries to access your more secure accounts, though I dunno how much that really works.
In simple terms, it is safe to use a manager... Thanks!
I'd be interested in his thoughts on web browser password managers. Are they similar to LastPass in terms of security?
They are definitely stored in plain text for Chrome and Firefox on Win7 and 10, at least. If you right click a password box, inspect element, and change this field: type="password" to be type="text", you will see your plain text password. Which is why I don't let browsers save my passwords.
Browsers will encrypt passwords on disk. I dont have a huge problem with them, but I just find syncing between devices easier without tying to a browser. Or maybe if I get a new device. I personally would also rather avoid Google having my passwords, simply because it also gives Google a list of sites I think are important. Just one more thing it learns about me!
@@flateartherpaintball5214 I just tried this on the latest version of Google Chrome on Win 10. All I got was a blank box (I even tried copying it in case it was unreadable and all I copied was some spaces), to make the password visible I had to click the button for it, and then use my full windows login to confirm I wanted a password to be visible.
@@flateartherpaintball5214 How the browser shows it in a form has nothing to do with how the browser stores it on disk. If it wouldn't do what you described, you could literally not use it, as it needs to in the end send it as plaintext to the server.
The built-in managers in browsers are just like any other local password manager he talked about. It's stored locally on-disk, encrypted.
Camera-man, get a tripod my man. Your hand must hurt af
Use Google Drive as the master place for the vault, have Drive access software on all the platforms where I need to get at the vault (such as google-drive-ocamlfuse), and KeePass. That IS the thing, as you mention...with KP, it's up to you to handle distribution across platforms, but you're in charge.
In a sense, why would you have to authenticate to get your vault? You shouldn't care who gets your vault, otherwise it's kind of pointless putting it in the cloud. But it is *somewhat* less secure, because if you have it you can run brute force decryption attempts at full speed, versus only getting the vault if you posssess the secret necessary to obtain it. That would make it that much harder to decrypt.
All the encryption stuff is great for computers storing information, but a person still needs to remember the plain text password required to unlock it all. For that, people write it down on a sticky note and hang it somewhere around their computer so they don't forget it.
assuming it's in your house and really no one has access to it besides you, it's not such a terrible idea.
in that scenario the biggest worry would be losing whatever paper you have the password written in.
I don't see the need to append an email at all. To retrieve the vault, you can perform a client-side hash on the master password then send that to the sever with your email to authenticate (the sever re-hashes the hash with a stored salt to authenticate).
To encrypt/decrypt the vault simply use a key generated by applying a different hashing algorithm using your master password as a paraphrase.
Is there a flaw in my logic?
KeePass + SyncThing is the golden combination tbh
How secure are the passwords generated by LastPass autogenerate feature and are they more or less secure than creating your own from a phrase or line in a book with numbers and symbols added?
10:00 - hahaha, that was done VERY well! 😂
You can probably write a simple password manager on your own as a shell script. It's basicly just a hashtable (service as key and password as value) which can be encrypted or decrypted using GPG. If you want access to it from different devices, you can put the encrypted file in your nextcloud. There is no need for a specific service which stores passwords only.
Fun fact: If we could authenticate via a GPG-key in our TLS traffic, we would not even need so many passwords in the first place.
Yeah. Password manager seems like a fools game.
Around 1:35, you missed an option, Mike: use a mental algorithm to create your passwords, so that every password is different, but you don't have to remember them all because you can re-create them on demand :) That's what I do. Every password I ever use is different, but I don't remember most of them; I just remember how to form them and do that when needed.
Does the Google account password vault work in a similar way? You would need to do that hashing hundred of times before logging in to any of its services to ensure Google doesn't know your master password, if it did work that way, wouldn't you?
Yes in regards to passwords and other synced browser data. Although data is decrypted on the stored and stored as is. This also allows for easy master password recovery for example since any synced device has all your data and just creates a new cloud sync when its reset.
IIRC passwords in chrome are encrypted with the windows password you use. Not recommended at all, those passwords can be extracted very easily (on your local machine; don't know what happens when it's sent to google)! Firefox (again iirc) by default doesn't encrypt at all, until you set a master password in the browser, which is not even suggested by the browser when you try to store a password.
Definitely use a real manager, if you want security. There are enough options that are as comfortable and way more secure then any integrated option in FF or Chrome.
Also please correct me if I'm wrong, it's been a while since I looked that up.
But how does the server know that the authentication key is correct? Since it is hashed so many times. Also the authentication key must change on every login if I'm not wrong then how does it verify if it's the correct authentication key? The password manager I'm talking about is Bitwarden.
how secure is the function "use windows account"(as key) alone without additional keys?
But would you need a password manager when you have Correct Horse Battery Staple for all your accounts?
I'm surprised that nothing was said about Argon2. Also, KeePass has some protective mechanisms against keyloggers: Secure Desktop, Two-Channel Auto-Type Obfuscation.
Yeah, but they only work for bad Keyloggers and are easyly breakable.
I have not read enough on Argon2, but from what little I have read. It is reasonably secure.
The problem I have with Argon2 is simple. Some ports of KeePass do not support it. Which is annoying. However, it is an open source project. So I do not complain. I am just making the statement.
We recently did a video on the risk of generating your own private keys. Thought you guys might find that topic interesting to cover in future!
We need subtitles! Great video, though
Ah but you see. I will type "password" in backwards. Nobody has thought of that yet; fullproof
On 1Password, if my private key is used to decrypt my Vault Key, is it also signed by 1Password’s Public Key?
for me, the question is: how do pass managers fill the fields on the sites? JS injection, native copy/paste methods, simulating keystrokes? I don't understand that
Keepass simulates keystrokes, which has the advantage that it doesn't matter whether you are logging into a web service or using some proprietary software, such as a gaming client.
AFAIK the other ones are completely different, but I haven't used them myself. At least their websites are only ever talking about filling in web forms.
That XKCD reference though
Keepass + Dropbox = done. Mobile access, family sharing - all easy and automatic.
linked with a Yubikey neo for that OTP and keyfile.
@@kmcat You may like Password Safe.
If your vault become encrypted again if your still logged in to the vault ?