Ok, so WHAT WE'RE GONNA DO, right? Is this..

@@BlueZirnitra HAHAAHAH!!!! I think he's likely as awesome lecturer as well. Would love to sit in on one.

Pound that like button for Dr Mike

Swipe650 not gonna say what I was thinking. Nope. Just gonna walk away from that one.

@@abandonedmuse Pound Dr Mike's Button perhaps?

Very funny 10/10, off to Edinburgh now!!

A little click out of 1..2...3,..., 256 aaand we got our AES-Key

Meta

Nothing on ksda34bw4t4748797sjTe.........nothing on WxB7ww3n7464se4etesimyf8e4qwq.............

*50 million years later*

If you used KeePass or Password Safe. That is not an issue now is it?

Phishing*

Indeed. Also any password manager worth anything wouldn't even know your master password due to zero knowledge so that's another red flag if receiving such an email

vault* Edit: it's been fixed :)

Not bad advice at all.

Thanks... corrected

@@BattousaiHBr or... use MFA(2FA) on your PWmanager

who in the world should hack my password-vault keepassxc? how?

i’m r que le hemos

yes

ProBob drama ensues

It's his and Alice's daughter. He loves his daughter.

@@josue_mejia ^ So he's bangin his daughter? Seems legit.

@@jmullentech this is not game of thrones

A scammer once created a profile for something without my consent and put the password as "123456". I changed it to something really complicated that I would forget.

Don't worry, hunter2 is the best password

Dont you just hate it when that happens.

You are your own nemesis

Password321 for extra security

You can look up articles and academic sources while you are listening. It is what I do. I am not an expert either, but I made some remote effort to understand.

@Sassy The Sasquatch You would be surprised how many exams and tests people (including me) manage to pass (hehe) by learning from YT videos.

Also turn on an app locker or app blocker on your android device. It is not encryption. It is a stop gap to hinder casual or criminal intrusion.

James Edwards And how would that differ from just using a device-wide code?

@@GRBtutorials App Lockers are typically integrated into the application. App Lockers are also associate with android antivirus software. Note: The ones I will be referring to unless stated otherwise. Are the app 'blockers' associated with android devices via third party antivirus security programs. It is not encryption, more of a stop gap measure. For example, let us say I am on a train and I setup an app locker. Somebody runs off the train and snatches my phone in the process. However my phone is not locked. Most of us do not completely log out of our phones' mobile apps. Keep in mind unless you are using an application specific locker. This just prohibits them from interacting with the application directly. The application is indeed 'open.' A decent hacker could bypass the app locker; or blocker as it should be commonly called. This will give you time to lock and wipe the device. Keep in mind you can find third party 'standalone' versions of this. My personal recommendation is that is if you are out on the town. Try having two that overlap with each other say in 1 minute and 30 second intervals. It will make it much harder for a common thief to access your applications buying more time. If they keep your phone active the phone will not lock until you get to a computer to remotely do it.

The double blind method is efficient.

Same here

Not that you really need to even worry too much about the strength of your laptop or phone passwords. If someone has physical access to the device, all bets are off anyway. They don't need to ever learn your password to get access to anything locally stored on the device. Web-authenticated services (like your email) would still be safe though, I think (would have to see what is/isn't stored locally).

@@totlyepic Not *strictly* true, yes in the vast majority of cases 'if you hold the box you own the box' but things like fully encrypted drives, full secure boot / locked bootloaders, etc. mean that data can still be secured!

Plot twist: “Laptop”, “bank”, “email”, “phone”, “and. of course”, are the actual 5 passwords he’s using.

You are being logical. I do not remember my bank password, but more logical than most I have encountered.

See that storeroom over there? .......

That storeroom is where we keep the list of storage locations for the paper.

Bitwarden says hi

For those hailing from the future, which is unlikely given the age of the video but here's hoping. You can use KeepassXC or any KeePass variant as a password manager without sync, then use Syncthing to sync the vault across devices. No server needed!

Agreed on your concept of customer lock-in. Almost all password managers, however, have the capability for you to export your entire vault into a file, which can then be imported into another password manager. As a matter of fact, I don't know one that doesn't have this function, although I'm sure they exist. If they do, those are the ones I'd never use.

I try to support open source software.

Gregory Booth It may have an export function but more importantly, how can other products import the data? The database schemas are different. The devil is in the details. If you have to tweak a large number of imported entries then the “feature” isn’t really a feature.

​@@lohphat The data is 'decipherable.' KeePass (depending on which version you use) allows you to export as customized .html file. Yes, I would have to 'reconstruct' the database. However it is salvageable. You should be backing up your database in different formats for logistical reasons every time you backup the file. The 321 rule of backing up still applies. Three different copies. Two different media formats. In this case types equals file types. KeePass allows you to 'print' your password database file. Microsoft for example allows you to print to .pdf format and .xps format. You can also save screen captures of your database if you want to take the time to do it. - Not to mention the numerous applications that allow you to export, print to, etc. You should be saving the last few versions of keypass on a disk somewhere. So if you 'need' to port the data. You would still be able read it. It is all about redundancy.

I don't really understand this. Where would you put this vault like on your MacBook, or external hard drive? And how do you secure it there? Trying to learn, but I am new to all this.

elukok thats very clever!!

That's a fantastic suggestion. I'm definitely going to start doing that.

You could have just said "I'm a simple man. I see Mike, I click".

@@chicoktc I'm a man of taste, I form my own answers ;)

I like to use keepass with syncthing to keep everything up to date, but you could use other foss tools like rsync or nexcloud

Brock Elmore This is actually a smart idea.

*T-Mobile Austria has left the chat

It depends. For instance, I use KeePass. If I forget my database password, I'm 100% SOL, whereas LastPass does offer recovery. I would argue that this is a security weakness, since then there are options for malicious actors to access the password DB more easily. So while I do maintain a cloud-storage backup of my password DB, it is protected by multiple passwords- the unique password to access the cloud service, and the unique password to unencrypt the password database. While a breach may be possible, it is still more secure than having a recovery alternative. And the likelihood of me forgetting the KeePass password is nonexistent, since aside from my phone unlock password it is the most frequently used password, and if I forget something I'm typing several times per day I likely have larger problems.

With google your devices are part of a sync to where they all store your data. In what way they are encrypted in storage I don't know but it is NOT based on your master password. Thus resetting the master is just a matter of creating a new cloud sync with the existing data on the device.

@@zrobotics Hi, zrobotics. I'm a new KeePass user. Where or how have you been backing up your KeePass database and private key? Do you trust backing them up to a web server or cloud storage, or have you been keeping them on offline harddrives?

I'll just say that I will never trust my passwords, password vaults or personal data with any company, individual or scheme that offers something along the lines of "master password recovery". If anything even remotely close to that is possible, it is, in security terms, a situation equivalent to storing all of your passwords in cleartext on a single server accessed by arbitrary people.

KeePass?

No, passwordstore.org

Thats the beauty of Keepass. You own it completely and use it however suits your use case. I have my devices (laptops and smart phone) sync the keepass vault via a backup copy on my home DNS server over sftp, but only from within my LAN. My devices don't sync when I'm not home, but it means my database never leaves any of my hardware.

LastPass is service as a software substitute.

If you're using google drive, what's wrong with just using google's password manager?

Keepassxc file inside encrypted file container + mega.nz cloud is a great option. The keepass file is encrypted, the file container can be encrypted with multiple layers using different methods, the cloud account is encrypted, and also free.

@@JNCressey it's Google. Most people don't trust Google or Facebook.

@@ashishpatel350 With keepass you can encrypt your DB with combination of password + keyfile. Sync your DB via google drive and keep your keyfile out of it. I think even google would have problem cracking your DB without keyfile.

FYI: You could use "syncthing" instead of "owncloud" and drop the php/javascript dependencies. It should run leaner on the machines.

Thanks for your recommendation, this project looks quite decent. I use owncloud for calendar and contacts as well, so I'll probably stick with that, but thanks anyway.

Yeah I heard something like "You can use KeePass at the loss of some convenience" but I didn't understand what the loss of convenience was? AutoType based on window title works great and is SURELY safer than trusting my browser / plugins to not have any security holes?

"encrypt by hand" - surely you're joking

I can not tell if you are joking or not! What, that does not make sense on many levels. In case someone is seriously considering writing down their passwords in a book. 1) First off, one of the important reasons everybody recommends a password manager. Is because the software can create a completely randomized password. Encrypting by hand involves your human brain. Which for this tasks is way more inefficient. 2) Books are not bad things. I cringe to this day when I see somebody throw away a book. The problem is storage, security and convince. Software is superior.

@@jamesedwards3923 Yeah it's a joke lol. The actual secure way would be to take the generated passwords and write them in a book. You'd still have to keep the book secure, but that's usually not a problem.

@@OceanBagel you'd think so, but somebody stealing your password book from your home is more likely that somebody breaching a password manager.

SharpScripter The only "graphical passwords" I have heard of are basically disguised onscreen 9 or 12 key keyboards with limitations in what numbers you can enter. So really weak passwords for people who don't read so well.

Graphical Passwords?

If you do not trust cloud password managers. Other options then encrypt those files. Again, there are so many options, free, paid, or open source.

linked with a Yubikey neo for that OTP and keyfile.

@@kmcat You may like Password Safe.

They are definitely stored in plain text for Chrome and Firefox on Win7 and 10, at least. If you right click a password box, inspect element, and change this field: type="password" to be type="text", you will see your plain text password. Which is why I don't let browsers save my passwords.

Browsers will encrypt passwords on disk. I dont have a huge problem with them, but I just find syncing between devices easier without tying to a browser. Or maybe if I get a new device. I personally would also rather avoid Google having my passwords, simply because it also gives Google a list of sites I think are important. Just one more thing it learns about me!

@@flateartherpaintball5214 I just tried this on the latest version of Google Chrome on Win 10. All I got was a blank box (I even tried copying it in case it was unreadable and all I copied was some spaces), to make the password visible I had to click the button for it, and then use my full windows login to confirm I wanted a password to be visible.

@@flateartherpaintball5214 How the browser shows it in a form has nothing to do with how the browser stores it on disk. If it wouldn't do what you described, you could literally not use it, as it needs to in the end send it as plaintext to the server.

The built-in managers in browsers are just like any other local password manager he talked about. It's stored locally on-disk, encrypted.

Or you could use Bitwarden and be your own cloud

Offline solution is just too inconvenient for the average users.

I have no argument, thank you sir. :) .

I have a better idea. Use that code you wrote down as the second authentication. What do I mean? Do not commit your cloud storage to your head. It is a bad idea, because your cloud storage password can be 'compromised' any number of ways. Your keepass password, committed to memory is a lot harder. Put your keypass file in another file encrypted. Congratulates you created at least three factors of authentication. One is your external encryption password. Then you have your kepass password. You also have a keyfile. You are welcome by the way.

But if i remember correctly then you can't change a password, only all at once?

@@KanalMcLP Nope. You can just increment a number associated with that site/user and you'll get a new password. To change your master password however would probably require all passwords to change.

Isn't keepass better written with way more functionality?

You can just sync the file with any number of cloud storage services. Across many devices. That is why many of us use keepass.

KEEPASS. Yes, if you are foing open source. It is one of three.

Oh yeah I know these guys, they've been polling their users for over a year asking them if they want an updated version of the Concorde for P3D v4/v5.... the update costs as much as a new product, even though it's just the same plane made for a slightly newer version of the simulator. So far, no updated version of the plane has been made, likely because there wasn't enough people throwing money at their screen when reading that. I didn't know that they did this, but they seemed like scumbags to me just because of making customers pay full price for updates, as if it wasn't expensive enough

i've always said to people, never store passwords in browser. i'm surprised anyone still does

How did they get away with it? Stealing passwords is highly illegal no matter how you spin it. Even if they didn't use the passwords if they've clearly compromised the safety of their customers that's a huge lawsuit right there.

I run XC on Mac, Desktop Linux and Android, but I use plain keepass on win. I think the native .NET plays better with win.

Yeah. Password manager seems like a fools game.

No disrespect at all. I am a blunt person. Again no disrespect intended. The flaw with using built in browers password managers. Is that if the account is compromised. The passwords are compromised. That is not the same if your use a program like keepass or password safe. Even if you choose to use a 'retail' password manager. That is at least a seperate account. On a seperate service. Also based on my personal experience, reading, observations. Your statement suggest that their passwords to their IOS accounts are garbage. Unless their elderly. Have memory issues. Or the like. I would never recommend it to anybody. I have known, conversed, or read about people. Whom have had their password managers hacked. Most of the time. It was due to poor 'basic' security measures. On top of that. Garbage passwords. One thing to get hacked. However I am tired people telling me. They were hacked, but the adversary did not have to put any real time or effort into it.

??? That would mean you are sharing the data. It would be efficient to store backups of the keypass file on your own server. Then if you needed to retrieve it, then just do it. Also if you needed to backup the file. It is done.

​@I And why's that? It doesn't stop brute-forcing, but it does mean that if one algorithm is broken it's still secure.

​@I And yet should the time come where one of these algorithms is broken, I'll be grateful I've encrypted it 3 times over. My volume is more than fast enough. I'm only rocking .txt files and pictures in it. It's not like I'm running a server or something.

Hmm, I would like to read the audits that disclose this. Most people are not going to have their VeraCrypt encryption open all the time.

@I A better option is using separate encrypted files. 1) Keypass file. 2) Then put it in veracrypt file. 3) Then put the file in a .7zip or zip file. Three layers. Three passwords. Multiple iterations.

@@bobbarker7820 Correct.

Love the nod

assuming it's in your house and really no one has access to it besides you, it's not such a terrible idea. in that scenario the biggest worry would be losing whatever paper you have the password written in.

Keepass simulates keystrokes, which has the advantage that it doesn't matter whether you are logging into a web service or using some proprietary software, such as a gaming client. AFAIK the other ones are completely different, but I haven't used them myself. At least their websites are only ever talking about filling in web forms.

Yeah, but they only work for bad Keyloggers and are easyly breakable.

I have not read enough on Argon2, but from what little I have read. It is reasonably secure.

The problem I have with Argon2 is simple. Some ports of KeePass do not support it. Which is annoying. However, it is an open source project. So I do not complain. I am just making the statement.

Michael Hammer That would probably be a security flaw in and of itself. You probably don’t want the whole world knowing which service you use, as they may start trying the “forgot password” tool and possibly get in.

@@DanStoneUK Maybe so but if someone has a keylogger on you and you use a password manager you're also in trouble. It doesn't stop manual attacks, but it stops quick scans hackers might do over leaked password lists.

Use a software application like keepass or password safe. You can use software keys or FIDO keys depending on your choice.

@@jamesedwards3923 those are still "password managers" that are protected by a single password no?

@@fuseteam Not in this context. You are adding another factor to the encryption. You need 'both' the password and the key or keys. The key is part of the encryption. Another example is peazip. It allows for keyfile enabled as another factor.

@@jamesedwards3923 hmm

Yes in regards to passwords and other synced browser data. Although data is decrypted on the stored and stored as is. This also allows for easy master password recovery for example since any synced device has all your data and just creates a new cloud sync when its reset.

IIRC passwords in chrome are encrypted with the windows password you use. Not recommended at all, those passwords can be extracted very easily (on your local machine; don't know what happens when it's sent to google)! Firefox (again iirc) by default doesn't encrypt at all, until you set a master password in the browser, which is not even suggested by the browser when you try to store a password. Definitely use a real manager, if you want security. There are enough options that are as comfortable and way more secure then any integrated option in FF or Chrome. Also please correct me if I'm wrong, it's been a while since I looked that up.

If you can afford to do it, then go ahead.

It's easier to brute-force a word in mandarin than to brute-force a random string of 50 upper and lower case characters, numbers and special symbols created by your password manager.

@@qwerty687687 Correct.

Make sure you have made at least one donation.

*Top 10 Questions Science Still Can’t Explain*

You'd have been a smart person and enable offline access in lastpass, so that your vault is also stored locally for access without a cloud connection.

You will be able to download your database as an archive. Same way you'd migrate across services. Companies don't go out of business in an instant.

Usually in situations like these companies give a warning months, if not years, in advance But supposing that you completely miss the warnings (or they, for some reason, shut down without one) - lastpass keeps a local cached copy to enable you to use it while offline, so you'll still be able to access and export your passwords, they just won't sync to other devices anymore I imagine any other password manager would do the same, given how inconvenient an 'always online' requirement would be for the user

They would ask you to change your passwords

The master password will need to be hashed client-side, and then something will need to be sent to the server. In some cases, it is the hash; in other cases the hash may be used to generate further secrets that are sent instead, e.g. the hash could be used to encrypt a private key, and the encrypted private key is sent instead.

For almost all users there's no real security bonus to keeping it offline, the people that really need it need to be trained how to use it right or it can be worse for them. As long as it's implemented like correctly like this video describes, don't put your passwords in excel and post to github /troll :)

That is the point. You are trying to break a behavior that is going to put you into a weaker position. Research and read the data on how passwords are commonly broken. Generally once hashes are extracted from a database. They are broken with dictionary attacks. Then brute force. Brute force often works on weaker encryption. Dictionary attacks work typically on common password patters. A program that uses both and has the power to do it reasonably fast is the danger you want to avoid. You can search KZbin, .7z files as well as .zip file hashes can be extracted. What you care about is somebody taking that hash. Which is the mushed and mixed up version of your password. Then running the aforementioned and finding match.

@@jamesedwards3923 That's why you have a strong master password for your password manager and have it create strong, unique passwords for all your sites. 1Password has the advantage of having built-in 2FA by generating a Secret Key that only the user has access to.