> removes all features > becomes paid > gets hacked > refuses to elaborate > dies

It’s almost as if having your personal log in information stored by some big company is a risky thing to do!

>The virgin password manager >The chad “write my shit down in a book and store it somewhere safe” Ayy lmao

The reason why Keepass is good is because you handle the database file yourself and what type of security you use on it. Rather then trusting that LastPass cloud or another companies cloud.

I keep all my passwords in my head, Security gets better with age. Once the dementia update kicks in, Even i won't be able to get my passwords lol.

That's the beauty of offline password managers. Before you even begin to hack one, you very likely need to get through some password authentication first.

The virgin freemium cloud vs. the chad self-hosted lad

Ah yes, the company that thought they could make money by starting to charge their users for using a simple password manager. I'm shocked they had any users left.

Looking at the incidents where master passwords were allegedly stolen - it appears to be either credential stuffing (using passwords from other hacked websites), or something client-side to try to nab the password before it's encrypted (usually a vulnerability in a browser plugin). Should be noted that things like keyloggers can nab passwords from both cloud and local password managers - so a huge part of your own security is ensuring your own systems aren't compromised. In the case of the incident reported by BleepingComputer in 2021, there was apparently a bug in a system LastPass was developing to warn of possible credential stuffing.

I deal with LastPass/LogMeIn’s support staff on a regular basis and can attest that if LastPass says everything is fine, everything is most assuredly as far the fuck away from fine as possible.

Also worth a mention, KeyPassXC has a browser integration addon by the developer too so you wont even have to copy/paste passwords if you don't want.

We need an alternative software list video. First RustDesk, I2P and now KeePass. It would be helpful to have all these in 1 video so viewers can make decentralized choices first, rather then as they watch more and more videos👍

I use Bitwarden but I might have switch to self hosted

I feel like these “password managers” are all vulnerable. And yet they “claim” that writing passwords on paper is “extremely unsecure”. Yeah… if they claim something that everyone is doing for decades is suddenly “unsecure” is all just to get you to “buy the solution” and make storing passwords “easier”

I agree with most of your points here. I disagree with the assumption that open source code is actually looked at by a lot of eyes. Several security issues have arisen and affected a vast majority of projects because that's exactly what's not happening

I adapted using password managers a few years ago. Before that, I was the kind of person who would save them in browser. LastPass was the one I chose, because let's be honest, it is the Chrome of that realm, majority who uses a password manager, is most likely using LastPass. But I never liked the UX personally and was looking for an alternative that works for me, open source or not. So like just after a month of adapting to the password manager ways of things, I made a switch from LastPass to Bitwarden and was it an upgrade in every possible manner. It is FOSS and it's UI/UX is crazy simple that works for me. Never looked for an alternative ever since because I don't see anything being better than this, not at least for me personally.

Thank you for pointing out that open source code is more secure than proprietary code! I wish more people would understand this when they go to the voting booth!!!! We will never have any ways of knowing that our vote has ever counted if we don't have access to the source code!!

This is exactly why I don't trust "Password Safekeeper" programs that keep all your passwords locked away in one place. You never know when something will go horribly wrong.

I've had an experience with LastPass I can only describe as outraging. I tried to copy a password one day, only to realize the password I copied actually wasn't my password, it was a corrupted Unicode string. Some other passwords had the same issue. I was locked out and unable to log in to some services that I really needed to log into to do some work. I contacted support and they told me the engineers are aware of the issue and it will be fixed in a WEEK. This is on the level of installing a smart door lock for your home, the servers malfunctioning, and support telling you to sleep outside for a week as the engineers try to fix the servers.

I use Bitwarden. Stopped using lastpass after they started removing the features and putting them behind a paywall.

Just pointing out that for like 99.99% people, if your solution to this problem is "host a server yourself", it will be waaaay less secure than just about any service you can use, including LastPass, and your server will have way more chances to get broken into.

I use bitwarden but passwords i store there aren't complete anyway. I add an easily remembered pin codes based on the resource name to the end. This way even if my passwords are stolen they're useless, it should also be pretty hard to complete them without knowing what symbols i use in pins and how many. Sure, it adds the step of manually adding pins every time but since they're based on resource name it's manageable.

With Encryption usually it's OK if the algorithms become known, in fact the more scrutiny the better, as long as the private keys remain secure.

Hacks are exactly the reason I've never used a cloud password manager. Way too big of a target. Until now I've been using randomly generated passwords that I store on an encrypted note, but KeePass + Syncthing sounds like perfection. I'll definitely be switching to that.

Hey man, just wanted to say I appreciate u bringing this type of stuff to the public. Thanks!

You can like this comment when mental Outlaw makes the "KeePass Got Hacked, Time to Switch to the new thing" video at some point.

A LOT of people are trying to sell "self-hosting" in response to this news when they're failing to make the points made in this video-it's closed source.

Switched to keepass xc months ago. Took a lot of time resetting a ton of password to safe randomly generated ones given by it but I believe it was worth it overall. Have it on my desktop, laptop, and soon android phone. Pretty upset though that Apple iPhone doesn’t have it. Edit: Thank you for showing the iPhone version. I didn’t know there was one compatible with an iPhone application of keepass.

Self hosting is the future

At this point I’m convinced it’s literally safer to just write your passwords on a notepad or something. Like, I write all my passwords on a notepad file, I should find a way to encrypt it though

Whole situation sounds like "nah, stealing user data is too easy, let's steal the source code and prepare something awesome".

Switched to Keepass and KeepassXC years ago. Keeping your own passwords on 2 usb keys and a computer for backup reduces your risk to you giving up your password and Keyfile. Use both and put 500 random SSH Keys on a usb key, and.....good luck, if I loose it very few people that will ever be able to break encryption. Thanks for the video and heads up !

My advice use an open source password manager for passwords that aren’t super important but commonly used and write down and hide the important ones somewhere. That way if your computer gets compromised and your master password is leaked the most important ones are still safe

I swear people be like "hurr durr you can get hack!!" without realizing that the only way to get hacked is by BEING CONNECTED TO THE INTERNET

I only keep all of my most important passwords in my head or on a paper in a secure physical location (with no context on the paper that would indicate what those passwords go to). Sure it takes more time to insert my passwords as I have to type them out manually, but keeping them stored in an air gapped way rather than on a server I have no control over is the best option and the only way something could possibly get my info unless they hacked the servers for the account itself or through my device as I type it if it's been hacked.

This is why I don’t trust sponsors. I think we can all remember the commetary youtuber nord vpn fiasco where they were saying you would get your bank details stolen at coffee shops like any bank sites don’t use https in 2022.

I agree with all points except one, the concept that opensource is more secure than proprietary. Although I would agree that the code quality is likely better in opensource solutions, that doesn't necessarily translate to less discovered vulnerabilities. The fact of the matter is, opensource code bases can be inspected by bad guys too, and those bad guys might have significantly more interest in finding a vulnerability than the overall community. There aren't THAT many qualified software devs that will think about security and decide to audit opensource code especially if it's their spare time. My point is, even if proprietary code is likely to be much poorer quality, it would take stolen source code to be leaked for the wider internet to make the comparison fair. I'm not saying those things don't happen, but I don't think it's as common place.

Been using regular KeePass and keeping the DB in my onedrive for years now. It's handy enough and easy to access a credential when go somewhere since most places have Windohs installed.

Can't we just write our passwords on paper and then memorize them?

It has always blown my mind that people would put all their passwords on some third party company's servers, because this exact thing will happen with certainty if you give it enough time

imagine using the cloud to store passwords

That's why i just write my long af passwørds on a piece of paper instead and store it in the safest place that no man, woman or blackhat would ever access... in my underwear. Alternatives are just storing it offline or in pgp encrypted txt.

I switched from LastPass to KeePassXC 2, maybe 3 years ago and haven't really ever looked back. Syncthing sounds pretty interesting, but I guess since I already use a self-hosted ownCloud instance, I don't really need that, but it would be for sure an overkill if was made only for this single file... which absolutely wasn't the main reason why I started my own cloud instance.

Just host Vaultwarden on your home server frens

Honestly, the only reason I was using lastpass was for the cloud because I don't trust myself with not losing stuff. Definitely switching, however, thanks for the recommendation.

"Use a password manager" they said I didn't listen

I'm so happy that this happened, its honestly just such a bad idea to use online password services, just use local password storing solutions

And then there's me, self hosting Vaultwarden (a Rust reimplementation of Bitwarden) for maximum security

Already been using KeePass for 5+ years now. I remember back when I decided to get a password manager, I did some research & dismissed online options like this LastPass specifically because I didn't really trust their security long term. Ahh... the sweet vindication of a past choice well made.

It wasn't hacked, one of its development account was compromised and no customer data or PII was exposed to the internet...

I always was shocked that people use something on a cloud to save passwords. I mean if you worrying about your data getting hacked in one place but you trust other place with the same (or barely better) protection but not one password , but all of them (so there would be way way way way more incentive to try to hack it). Lol Yeah, I was proved right. After being interested in IT for several years and working here for one year I already can see how insecure it is.

I think the guys in the comments talking shit about how "every password manager is not secure, better use notes/store in *plain text* " are way to extremists and kind of ignorant too, since they miss the biggest advantages of a password manager: 1.- You can make every single one of your passwords insanely long and complicated (im talking about +120 characters with every kind of ASCII) and it doesn't matter, you only ever memorize 1 or 2 at most. 2.- If you use an *offline* password manager it's the same as having a paper in your office, since they need to get access to your drive, much like how they need to break in your office if it was paper, but with the difference being that your database is encripted and password protected, unlike your note, and if you use a +100 digit password on your database then it's gg for them. 3.- Another thing is, an offline pm is by extension, decentralized, there isn't a 'server' or 'group' to attack, anf if most people keep their DB in a usb or small ssd, then it's even more unrealistic to "crack" it. 4.- KeepassXC has the 'Health report' feature from bitwarden but for free, and it makes it trivial to know which accounts have been compromised and to save them/delete them *TL;DR* = KeepassXC Is king, pass is way too basic, and normal keepass sucks for the most part in comparison.

I simply remember my passwords. That way only I myself and the CIA know what they are.

Saw this coming. If people really took their security seriously, why the hell they using LastPass of all things.

You should post on update video about this hack. Turns out hackers HAVE exfiltrated encrypted user password vaults. Currently, the only thing keeping LastPass users' entire digital world safe is the strength of their chosen master password. If you use LastPass (which I do), it's hard to imagine a more serious breach than this. If you'll excuse me, I need to go spend the next 6 hours changing every password on every website I have created an account on over the past 8 years.

I've seen countless of ads for Lastpass in KZbin videos and my reaction to them was the same it is now. Why the (expletive) would you store all your passwords on someone else's servers? I bet you'd even lose access to them if you stop paying them (i don't know the costs and terms/conditions of Lastpass, nor do i care). Yeah, just give your passwords to Thieves Inc.

I've been looking for something like this for years, ditching my other PM immediately. THANK YOU!

By the way, your keepass file doesn't need to have a .kdbx extension. You can give it any other extension (or none), to keep it stealthy. The only yellow flag I found in KeePassXC, is that it remembers the last folder you loaded your file from. I presume this could be a potential point of weakness. I mean, I don't know, personally I just don't like the idea of anyone even knowing where my passwords are stored. Other than that, I've been using it for a long time and so far I'm happy.

You can set up your syncthing "server" on a raspberry pi or and old laptop to have it aways on, this way you don't need to juggle making sure you have both your phone and your laptop or both your laptop and desktop on at the same time to sync. Your can also set syncthing to always use encryption for it's communication and syncing.

I never trusted password managers

Self hosting=goals

I've used KeePass for many years but after switching to Linux I just use the "pass" script on Linux (using it from terminal) and I've never been happier since. It's simple, free and practically bulletproof. There are very good rememberable password generators too. I don't know why I've used the clumsy GUIs for such a straightforward task for so many years...

It didn't "get hacked", a dev's computer or account got hacked and source code was stolen.

This is the major reason why I don't and will never use centralized password managers. They are a huge target for hackers

Literally just write your passwords on a piece of paper. Inconvenient? Yes. Absolutely unhackable? Also yes.

I originally just kept a spreadsheet with all the passwords I used for all the accounts I had, and I only started using LastPass when it became a complimentary service to the anti-virus software I got from Geek Squad; it _was_ handy for the time being, especially since it actively encouraged using different passwords and helped with generating more secure ones than I could've come up with on my own, but I _have_ been working towards transferring what's stored there into a KeePassXC database, and this happening is further incentive to do so.

I've been using pass (or GNU/Pass) for a while now. It's based on GPG and has a nice git integration, alongside OTP and password generation

I switched from LastPass to KeePassXC around two years ago, and using Aegis as the choice for 2FA. It even imported my steam authenticator. And It worked great so far, my only complaint being android file manager not playing well with the google drive(I keep keys separate, don't worry.).

In their defense, isn't this part of some bigger hack? It doesn't excuse it, but it's not like LP themselves were targeted. I think the attack was dubbed Oktapus or something like that. Your typical phising/SEing hack involving sms 2fa. If it wasn't clear I'd like to reiterate I'm not sure.

If you must worry, just bite the bullet and use Qubes. Then you can use a KP dedicated environment that is void of any network. Also storing your pws in any sort of cloud is just asking for trouble. I could never understand the logic a decade ago and I still can't today.

Why would you use LastPass over Bitwarden ?

Self-hosted Bitwarden FTW ❤

Yubikey works with lastpass. Yubi is USB that looks like a key and goes on your keychain. To open laspass you plug it in and press the lit button. Whenever you update lastpass, it will ask for the yubikey button to be pressed again. So you control access and changes with a usb key held on your personal keychain at all times. You get 2, because it is your only backup when using yubi. It's not a joke. High security. You are responsible to store the backup key in a fireproof vault or similar. If that makes you uncomfortable, then you buy 3 yubikeys. Responsible people can have high security. But you don't need perfect security, just better security then your neighbour. Lastpass is a start.

cloud storage is a bad idea from the onset.

Ohh...how this story unfolds a few months later! They used the information they stole on this breach and now in December same year Lastpass told everyone that a Backup site was compromised with all users encrypted vaults.

Why is this cooking channel uploading tech videos ???

Steve Gibson of Security Now podcast had audited Lastpass's code in the past. If you don't trust his word I don't know who you could. Probably switching to Bitwarden at some point myself anyway.

I personally realize that the only truly safe password manager is a notebook on my desk, and anyone that thinks ANY online password manager is "secure" is deluding themselves.

Uninstalled LastPass and deleted my account months ago and switched to KeePassXC cuz I was getting increasingly uncomfortable with putting all my sensitive passwords in the hands of a 3rd party - not to mention them wanting to gyp users by making them PAY for password protection. Really feel like I dodged bullet, there.

FUCK I need to delete my last pass right now

wow, so i think you just solved 2 major problems i've been having for a few years now, thank you

I’ve never used one of this centralised password messanger. Such bullshit

Your a godsend chad, I thought LastPass was only hacked once or twice before with minor issues, f**k that I'm switching.

Nice deleted my last pass account 1 month ago cause it was ao annoying that you could only choose to use it on mobile or pc with the free version

This is what makes me skeptical of password managers. They are a single point of failure.

LastPass just keeps screwing up.

You know what's hilarious Writing your passwords into a text file mapped to a username and a domain writing your key to a key file, Encrypting the password text file with gpg using the command line and automatically inputting the password via command line Decrypting when wanting to read the passwords Is literally more secured than these kinds of Password Managers lmao

What I like about keypassXC is the ability to store 2-factor authentication codes without requiring a phone. The browser extension that allows me to click an icon to fill credentials on webpages. It works just like lastpass without the weak secuirty and cost.

I'm all for open source software, and not to throw a wrench in the engine here, but what about the recent security vulnerabilities in the Linux kernel that have been there for almost a decade? How did the "many eyes" mitigate those threats?

I'm actually a bit new to KeePassXC, but have been using KeePass for a while. Only recently learned of KeePassXC when I started moving to Linux.

おはようございます

Bro, you're brilliant! I just set up syncthing just the other day and this didn't even occur to me. Thank you!

It's hacked again

imagine using a password manager that stores your data in the cloud

I think this channel is becoming a little too extreme of privacy warriors atleast in this case. There are a couple things to note - any good software company will isolate dev accounts to only the repos they need access to. I work in a design focused company and even we get access to code only if we'll be a direct contributor to it. This means there's a big chance that even if the dev account leaked proprietary code, it was probably just a little piece of a very big puzzle. Secondly, the master passwords getting leaked in 2021 doesnt mean they're lying about not storing any passwords, no, it means the third party tracker they used got hacked which inturn provided access to their master passwords. The biggest exploit in any company is humans, and as we see even big security companies fall to this exploit. It doesn't mean everything is ruined tho, as a good company will use non-human tactics to ensure this human exploit cannot be leveraged to give high value returns.

I would be self-hosting my own bitwarden instance, myself. I liked KeePass when I used it... like 12 years ago. But there are better options.

I think with the 2021 security breach, regardless of if they had "Zero Knowledge" of the users' master passwords at the time, since there were trackers in the actual app itself the third party would still be able to get the passwords.

Seems like the safest way to keep passwords safe is to write them on a piece of paper and tape it to your monitor.

Imagine my face right now when I never used any of those password services...

Been using Dashlane for a few years now and I love it, personally. Hope something like this never happens to Dashlane.