Thanks for tuning in to Go Incognito! 🕵️♂️ 1) Go Incognito Premium has no ads, includes quizzes & guides, hundreds of improvements, a certificate, and much more! Support our mission & join the premium experience: techlore.teachable.com/p/go-incognito 2) To access the sources, changelog, GitHub repo, and more, visit Go Incognito's Homepage: techlore.tech/goincognito.html 3) To order Go Incognito merchandise, visit our Privacy Shop: teespring.com/stores/techlore-merch 4) Go Incognito is offered for free thanks to all of our supporters. Support Techlore and our mission today: techlore.tech/support.html
@Prog474 жыл бұрын
Appending password with a word you only know is straight up genius!
@joemann79713 жыл бұрын
or you can go further and append a full password to the password stored in the password manager. So, if you usually use the password p@$$w0Rd, you can a append or even put it in before the password manager's password. So your password manager would literally only know 1/2 the password. It's more work than simply putting a word, but, if someone was to get a hold of your password manager, it would be a lot more work for them tnan guessing what word you appended to the password. I dont think it would be hard for hackers to use your password manager's files along with appending dictionary words or just trying different combinations. If you do append a word to the end, it would be wise to use a different word for each website just so that it add a little more difficulty in case a hacker finds out that you used "lemurs" at the end of your passwords.
@johnoxxly34025 жыл бұрын
I used to be pretty obsessed with my privacy and a frequent on your discord but recently I’ve lost interest. But since you started uploading again I got back into it. (Covered my webcams again, updated all my passwords, re installed my password manager) so thanks, I guess.
@techlore5 жыл бұрын
Glad it’s come back! Keep at it mate
@jamesedwards39235 жыл бұрын
I am sure he has a life offline.
@mytrigger56133 жыл бұрын
@@techlore What about simply making a random password for sites you don't frequent but require you to either join (usually by way of f@c3b66k or gargl3) or sign up, then in the event you visit the site again, just automatically going through the "forgot password" process, which used to be a daunting task but is fairly seamless now. Is this method of bypassing the password and going straight to authentication code via email a viable strategy and any more or less safe than any other safety measure?
@avaturner50564 жыл бұрын
This is one of the best videos I’ve seen on password security, ty. Really practical tips explained in simple, but not unsophisticated, terms.
@techlore4 жыл бұрын
Yay thanks for watching!
@redeyesdrogon7865 жыл бұрын
The more you think about it, the more Keypass is the greatest password manager. Awesome video! Learned a lot from this video. Keep up the good work
@Keyshooter5 жыл бұрын
Wow... I was starting to use a password manager but never thought that it could become even stronger!! Great vid!
@SwitchedtoLinux5 жыл бұрын
Excellent video as always! I hope the semester went well, lets do another video soon!
@skaruts3 жыл бұрын
Pro tip: if you use KeePass or any manager that saves your passwords in a file, omit the file extension or use some other extension to make the database file harder for a nosy person to find.
@septimuspretorius2505 жыл бұрын
My oh my! You are so knowledgeable and you impart the information exceedingly well. I LIKED and SUBSCRIBED and I am taking your advice! Thanks again and Well Done, young man!!!!!
@techlore5 жыл бұрын
Welcome aboard!
@barkingbandicoot5 жыл бұрын
Is there an open source alternative to maskme/blur? That is, a password manager that is also a disposable email generator? Would it be possible to incorporate something like ptorx with bitwarden?
@RPGamer-bt5wq4 жыл бұрын
Use bitwarden for your’e passwords and use geurillamail for a disposable e-mail generator
@noayoshi5 жыл бұрын
Can’t I just safely store passwords using notepad in an AES-256 encrypted zipfile or inside of a veracrypt volume?
@techlore5 жыл бұрын
If that’s what works best for you then yes!
@jamesedwards39235 жыл бұрын
Nothing wrong with that at all. Most people I know would not do that at all. Here is my suggestion. Keep that as your primary, but when you need to access that file. Or backup your data. Try to do it in multiple formats. The advantage of using open source programs like KeePass or Password Safe are many. One of them is that the files themselves have their own built in security. We can argue back and fourth how secure it is. The point I am making is that you can transcribe the data to a key file. Keep a backup on your phone. One that is available to access. The other encrypted in a zipfile. You phone should be encrypted. Your phone password should not be the password into your encrypted password file. So that alone has two layers of security. If you are just backing up your files on your phone. You now have three layers of security. I have backups of my passwords stored in alot of places and have and currently upgrading how I secure the files. I will not go into to much detail. Again, see nothing wrong with what you are doing! I just see it as limiting your workflow. If you are at home and your computer is locked down. Great, but if you are on the go. You need reasonable secure alternatives. If you have to unzip that file. That is a security risk on your mobile device. So I personally recommend you use something that is secure for your mobile or public environments. Thank you for actually using common sense. I can not get people to what you do or better.
@jamesedwards39235 жыл бұрын
... Just expanding and simplifying my initial response. I would would only suggest what you do for a backup file. In an alturnate format. I backup my stuff in different formats. So here are my suggestions: 1) The best option is to use a password manager. As your work use file. Your initial idea should be for backups. Should you need to restore, transfer or reconstruct the databse. I would recommend keepass, password safe, or bitwarden. They are open source. 2) If you want to go the zip route: -Which I do not recommend when accessing your passwords for everyday use. Once the file is extracted. It can be compromised. Even if on your phone. Hence why if you do this. Have an encrypted USB drive with a self contained zip extraction tool. Hardware encryption even now is notoriously flawed. Do the research if you do not believe me. Again for backing up your password data. It is not a bad idea. Outside of that. I would not recommend it at all. Find a good reputable password manager. Preferably open source! That has been audited.
@milosm92805 жыл бұрын
Bitwarden is good.
@jamesedwards39235 жыл бұрын
I could not find a public audit for bitwarden. Hence why I have not used it. Do you know of one?
Keepass is good but if you are on a unix based OS like linux or mac you can use Pass the standard unix password manager which uses a your own gpg keys to encrypt your passwords and store them locally on your machine and there are quite a bit of syncing adons for it too.
@leeoswald6683 жыл бұрын
Techlore! Anything about password store(pass)? I can't choose between bitwarden and pass. Used pass for many months, but now trying bitwarden
@bastyz14 жыл бұрын
It is better to have a long password (longest you can) with dictionary terms than the thing you suggested here, if you want I do recommend the last NIST guidelines on passwords, suggestions on 3:20 are outdated becouse are too easy to forget.
@lanescast5 жыл бұрын
Gold tips and tricks! Thanks to share this hole block of relevant information to us! Awesome material!
@APrintmaker3 жыл бұрын
Very valuable info, thankyou! I try hard to be safe online, but you mentioned weaknesses about which I had no idea. With 1password going to subscription only, having total off-line control of passwords is getting more difficult.
@WafflesOinc4 жыл бұрын
Hey, there's a way of having a usb device for manage password? Like those digital certificates
@RPGamer-bt5wq4 жыл бұрын
Waffles i think you can do that with keeppass bc they store your passwords on your hard drive instead of the cloud
@NoEgg4u5 жыл бұрын
One more option to consider: You can create a Veracrypt volume, and store whatever you want in that volume. Veracrypt is open source, free, powerful, and easy to use. Your volume is a single file (or multiple files, if you create multiple Veracrypt volumes). Veracrypt mounts that file, and it shows up as just another drive letter. Once you have created your volume, and you save whatever you want in that volume, you can make a copy of that volume (a copy of that file), for safe-keeping. You can then upload that volume (that file) to any service, and not give a hoot about its security, because that uploaded file has strong encryption, and is useless to anyone other than you. As long as you pick a very strong password, to initially open your Veracrypt volume, the contents will be noise to anyone other than you. By the way, GPG is another option, if you want to symmetrically encrypt a single file. It, too, is open source, free, and powerful.
@jamesedwards39235 жыл бұрын
No argument here.
@realme128245 жыл бұрын
@Techlore How about using the builtin password manager in Firefox with a complex master password?
@techlore5 жыл бұрын
You can, but keep in mind this is a very easy avenue of attack. Safer to separate your passwords from your browser with direct access to the internet.
@realme128245 жыл бұрын
@@techlore OK thanks for replying so switching to Bitwarden now...
@jamesedwards39235 жыл бұрын
No look up the data on how it was thrown in. The effort was more or less shoddy work.
@CyberDocUSA5 жыл бұрын
I wish more people would actually take the time to learn & apply these principles, but they don't. Kinda makes sense since most people also allow police to illegally search their person and vehicle when no legitimate probable cause is presented (or they don't even know to ASK what the probable cause is).
@jamesedwards39235 жыл бұрын
I had this argument on another thread yesterday. I try to educate people who ask me about the subject. I am sure if I asked most of them how their digital security is progressing. Most of them would have made no real effort. I know because I have asked. Months to even a few years after the fact. Some people have no idea what 'over criminalization' is.
@CyberDocUSA5 жыл бұрын
Right on.
@allenholloway51094 жыл бұрын
I use Veracrypt for my passwords, which is not a password manager, but it is the best form of encryption I know of. However, I have been WAY too lazy about making the passwords themselves. You store the encrypted drive or file locally, and can only unlock the HIGHLY encrypted data with one single password. As long as the master password is extremely secure, it is not feasibly possible to break into.
@jamesedwards39234 жыл бұрын
I have a more flexible option for you. Use keepass or bitwarden. If you want total control. KeePass, but use kefiles also. There are fork project and addons. That allow for keyfiles and FIDO compliance. keepassxc.org/ is a popular version of keepass. The interface is what turned me off. Keepass 2.x is simpler to use and discloses all the options. At least that is my few on the software. It is my preference. I do not knock it.
@cbckidz5 жыл бұрын
God bless you man!!! Excellent video...
@cesarc27244 жыл бұрын
What do you think about Remberbear password manager?
@coritrottman9699 Жыл бұрын
Something to add in 2023. Canadian law no longer forces you to hand your passwords over to law enforcement. It was a hot topic in 2016-2018 due to legislation being passed but ultimately multiple courts in different provinces have ruled that it goes against our charter rights and, specifically, goes against your right to not self incriminate. If you are compelled to decrypt, unlock or open a device for law enforcement, any evidence found will be inadmissible in court
@Prog474 жыл бұрын
My home was recently broken into but fortunately they didn't take any electronics because they know the police can track them. Since then I started looking for solutions to protect my data since I can think of nothing worse than a stranger having access to my laptop. I'm going to encrypt my pc with veracrypt and require a bios password for new drives
@jamesedwards39234 жыл бұрын
No dumb ass criminal who power ups a device would do that. There are many software programs that call home. If a thief was bound and determined to access data on your device. They would physically disconnect the wifi, bluetooth, and even hardware ethernet connections. This is as easy as looking up the specs on your device. So now your device can not phone home. Next if they are smart. They will use some secure but lean version of an open source OS. Like Linux, there are others. However, Linux is the most used for private and commercial use. Outside of Microsoft Windows, Unix, and Apple. O yea, Android, which is based off of Linux. Anyway, so they would do that. So if you are using hardware encrypted drives. Depending on the drive. There are publicly available videos, forms, and docs talking about the weaknesses and how they can be compromised. Basically if you search the brand and make of hardware encryption. There are holes in many of them; some worse than others. Why, because the manufactures were very, very, very sloppy or careless. Basically, they wanted to upsell devices by using the words 'AES' and 'Encryption.' So your safest bet is to use software encryption for critical files and closing of minimizing holes in your operating system. Damn, so many holes in Windows for example. You can find guides and searches on all of this. Turning off a lot of those 'advanced' features. Which are designed to help you troubleshoot and diagnose problems. Are also avenues for people to compromise your system. Even some that try to make your system work faster and more efficiently are an potential security risk. Here look at what Veracrypt tells you. As an example: www.veracrypt.fr/en/Documentation.html Now look at these articles discussing the issues with windows and privacy: www.techrepublic.com/article/windows-10-violates-your-privacy-by-default-heres-how-you-can-protect-yourself/ pixelprivacy.com/resources/windows-privacy-settings/ www.computerworld.com/article/3025709/how-to-protect-your-privacy-in-windows-10.html Now before I continue with my replay in generality. I want you to listen to this video. Why you should NEVER* encrypt your backups Aug 29, 2018 kzbin.info/www/bejne/jmbGZX2Xp9KoZqs My Comments: This man is well know and respected in the circles and industry on this topic. I respect him. However I get really heated in the comments section. Why, because the arguments are valid but have holes in logic and common sense. "Fail safe or fail secure." - As you probably figure out by now. Hardware encryption should be use for low threat models. Or failinig that. Should be combined with software encryption at the bare minimal. My solution to this is simplicity itself. If you do not want to do a software encryption in part or whole of the partition(s) of the drive. Just encrypt the damn files! He is right saying it would be extremely difficult if not impossible. To restore an encrypted partition if the drive is damaged. Retrieving files is a far easier tasks. Not argument, however what he pretty much ignores is this: "Just encrypt the fucking files on the non encrypted drive. It is that fucking simple. That way if the drive is damaged. A recovery service should be able to retrieve most if not all of the files - Which they will let you know in advanced!" Hardware Encryption on External Hard Drives: Useless Feb 15, 2013 kzbin.info/www/bejne/o6qyhmljhLuUoZI Now another argument against even hardware encryption. Is that depending on the drive, manufacture, design, etc. The same problem can happen. Which is more or less true. Again, many factors. There is something called 'The 3 2 1 Rule.' When it comes to backing up files: 3 Copies of the file. Stored on 2 different types of media. Have at least one off site. You buy enclosures and drives on the cheap. a 2TB platter drive cost less than $100. If you want SSDs, depending the implementation and technology. $50 to $200 for a 1TB to 2TB. The median income in the USA is about $35,000 gross for a single adult. Find a way! I always recommend using both. Yes even with the known flaws in hardware encryption. Depending on the location, drive, and data on them. I often opt for both hardware and software encryption. If I choose one. It is software encryption. Tracking your technology is a good idea. Making sure the bad guys will have to struggle horribly to access anything on it is another. Now which software should you use? If you use software encryption, and you should! Veracrypt is right now the leading open source option. TrueCrypt is its predecessor. DiskCryptor, A lovely drive only option, but I do not know if that project is ongoing. You have PeaZip and 7zip as open source projects. There are plenty of retail options, but it is retail. No, I contributed to all open software I use. Not the money, it is the trust issue.
@BaddBadger4 жыл бұрын
I just discovered your channel and this series a few days ago, and i'm really enjoying them and i'm learning a hell of a lot. So i really must thank you for that. But i really do need to go back to the start and watch them in the right order soon! I was halfway through de-google-ing my life anyway, and i had (coincidentally) already moved over to one of the e-mail providers and one of the VPNs that you have recommended. Although, thanks to you, i hope to start using things correctly at last. Especially TOR, because as i am now learning, not everything with those magic three letters is created equal. But i would just like to say that in the last few years i have tried quite a few password managers (both free, and paid for), and i have yet to find anything that, for me at least, beats even a free LastPass account. I know it is not perfect (what is?) But whenever there is even an attempted breach then i get an e-mail explaining things and basically saying to change my master password just in case. But i still try other password managers as well because you never know when you might find something even better. I just want to warn people against Dashlane as one month into my 2nd year of a paid account they lost about 20 of my most important passwords (banking etc) and their customer service was so bad that that i just deleted all my details and that account, waving goodbye to what i had paid for the rest of that year rather than keeping on fighting with them. Thankfully, i still had those lost details backed up in my free LassPass account. Yes, trying multiple password managers at once is a bit of an effort, and might leave me twice as open to possible hacks. But in this case it really saved the day.
@vansolo97945 жыл бұрын
Good to see you back!
@lexifry51484 жыл бұрын
what's your opinion on MYKI password manager?
@legocloneguy15 жыл бұрын
How does each of the password manager compare and effect online anonymity? Does compartmentalizing different password manager necessary or is it sufficient just having one for all your compartments? If so, which one would be best suited for anonymity?
@jamesedwards39235 жыл бұрын
My personal opinion is to go open source with your primary password manager. KeePass Password Safe You can try to use online based management systems if you travel. You have to analyize your threat vectors. If you are a frequent traveler. Data lite efforts might be advisable. 1Password's "Travel Mode" Security TWiT Tech Podcast Network kzbin.info/www/bejne/Zp6skJ6fnpeap7c www.schneier.com/blog/archives/2018/07/1passwords_trav.html Unless you are going to commit all your password to your head. Which for most people doing this and creating dozens of strong and secure passwords is not very fucking likely. Not impossible, but most people are not going to spend the time and effort required to successfully pull that off. Total anonymity? Not possible unless you start new accounts from scratch.
@jay-day4 жыл бұрын
I disabled the ALP on my first cell phone because it didn't work most of the time. Maybe the screen wasn't sensitive enough or it was dirty, but I got tired of it locking me out when I kept entering the correct pattern but the phone repeatedly didn't recognize it.
@whendidyoutubeswitchtohandles5 жыл бұрын
@Techlore What do you think about Boxcryptor? Is it totally safe or do you have an alternative?
@captainheat23145 жыл бұрын
I still use paper as i find it better and adding a lemur to the end or a rule like +1 to numbers or -1 makes it impossible to get any data breaches.
@techlore5 жыл бұрын
Good solution!
@jamesedwards39235 жыл бұрын
Your plan is flawed. Paper has flaw. It is a tangible asset that can be compromised easier than a computer. You have just disclosed that you use patterns to your passwords. Paper can be stolen just like a flash drive can. The difference is. I can have a file on it that requires multiple vectors for access. For example, let us take keepass as an example. My password can be as long as I want it to be. Remember randomness to a computer is anything it has to 'compute.' If you want to be lazy but efficient with the password to your keepass file. You can use something called diceware. Where you use strings of random words. Guess what if you have enough words you can form a sentence. You can then add salt and peppers to that sentence. That you alone know and nobody else. Sentences have spaces, puncuations, numbers, etc. Guess what you now have a long password with special characters. Upper and lower cases. Special characters and can remember those spaces count as special characters. Or you can relay on a peace of paper anybody can take from you. O.K., now you have your secure password to your database. You have eliminated the first flaw in human capacity. That is lack complexity. How can you make it even harder? You can create key files. A keyfile can be any file it can read. You can generate them randomly, which is the preferred method. - If you use a password manager such as Password Safe. Another open source project. You can use YubieKeys. - In my opinion the keyfile is reasonably more secure because you can create a number of them on the fly anyway you can create a file. So a master password plus x number of key files is arguably more secure than a YubieKey. Since it must remain tangible. Although in my security upgrades I might use one. So now you have your super long and complicated password. Your key files or hardware key. Now you have a database. What are you going to store in that database? Long and complicated password that are derived from a seed from the manager, but also from various factors of your computer. So clock speed, RAM, etc. Also these applications allow you to add additional randomness . As a human you have mechanical limits. Hence why technology is a upgrade from these limitations. Now a lot of people are hesitant to store data on the cloud. That is fine. You would and should just lock up the files in another layer of encryption. Whether that keepass file is on an encrypted drive. Or rapped in another layer of encryption like a zip file or something. - If you are going to store the data on a hard drive strongly recommend either encrypting it in a encrypted compression like a zip file. Or a encrypted volume file for example VeracCrypt file volume. KeePass has passed most of its audits with minimal concerns. However, why take needless chances? - As of me typing this, May 2019. Hardware encrypted drives have significant flaws. However, I have a few old and new. Depending on the environment I will typically turn the hardware encryption on. Keep in mind I software encrypt my external drives because software encryption is more secure than hardware. However if you wish, enable both. So now you added more security. Depending on which software encryption program you use. You can add not only passwords but keys. Which can be of either type. Again that extra security layer. Depending on your methods is far superior than a piece of paper that can be taken from you. The passwords created by the software will way better than anything you keep in your head. Yes, obviously there are some passwords you need to remember! What I am saying is the less you need to remember. The better the rest of your passwords will be. Especially if you have to remember one or two things as opposed to many. Especially if you add extra layers of encryption.
@techlore5 жыл бұрын
This will always be a better option. But I personally believe that having people store paper is better than remembering passwords on webpages with no password manager. It just depends on the user’s needs even if it isn’t the BEST option necessarily
@jamesedwards39235 жыл бұрын
@@techlore I am still trying to recover the passwords to older files. My fault and I blame nobody but myself. Even using keys and key-files is a more logical option than paper. Your data, so your choice.
@jamesedwards39235 жыл бұрын
@@techlore I had a similar exchange with others on other threads. My recommendation is to store backups with different passwords. Like I said I have screwed up more than once. The simplest option is a dicware code. Which logically could be a sentence. A few numbers. Or the much more dangerous route. A weaker password but multiple keys. Which I never recommend. There are some programs which I will not name. That allow for multiple users to access an encrypted asset. It allows for separate users and keys. This way before password managers. I speak this option for people who want have a backup of they data, but do not want it compromised. You know planned estates, corporations, etc. Let use this famous story as an example: www.npr.org/2019/02/07/692466456/cryptocurrency-exchange-operator-dies-without-sharing-passwords-with-anyone Now if he would planned for this, but wanted the data secure. He could implemented it in a number of ways. He could have divided keys and portions of the password. Three ways. 1) Safe deposit box. 2) Law firm. 3) Wife. That way he could have given them encrypted file on an m-disk. So you would need three people to open the encrypted data with the crypto. Last I checked safe deposit can not be opened unless you are dead with a court order. Legal, clean, and secure. Legal.
@RedFenceAnime5 жыл бұрын
I use KeepassXC with the FireFox add-on for my less important passwords. And I recently installed NextCloud which I also use to sync my contacts and calendar and bookmarks. I wouldn't want to store my .kdbx files on google's servers. 8:00 Good tip, thanks! Meanwhile I can't keep my family from storing them in an exel file and printing them.
@hackerman21835 жыл бұрын
What do you use for your more important passwords?
@jamesedwards39235 жыл бұрын
What I found disappointing is that with earlier versions of Fire Fox. The developers frankly were lazy in implementing encryption with stored passwords. Not only did they use an older hash function. That is easier to brute force. They did not apply any iterations. Which means it was not even a serious consideration to security in that regard. I am glad that FireFox is 'finally' working to resolve this in the future. The theme I have noticed in the past ten years is that some companies have taken lack luster or horrible efforts into encryption. Take for example hardware encryption. By my count between 2014 and 2019 there are a few instances where companies effectively were lazy in how the implemented encryption. Some so lazy that anybody with any number of free tools and a little patience can crack your, 'security through obscurity measures.' The only reason I am 'considering' buying upgrades with hardware encryption is 'layering.' No other reason. Yes, many hard drive with encryption are flawed, but it is also a though on threat models. If a common thief steals my hard drive. They will either sell the drive or wipe it for themselves. If they have to break through layers of encryption, it is harder for them to get the data. Until hardware encryption is implemented properly. You should always use software encryption if the data is sensitive. Regular drives cost less. Software encryption always trump hardware encryption. Using a combination of the two is an economic choice. The implementation has been horrible with some companies. Samsung according the brief on their formal paper had the fewest issues. Next up was crucial. The best when using both is to make sure anything mission critical. That should not be compromised. Should be protected with 'software' encryption. Your options are as follows: 1) Software encrypt the files. 2) Encrypt the entire drive with software encryption. Which will hit the performance depending the hardware and the software being used. Also depending on the software. You might have to choose weaker options with whole disk encryption. 3) Encrypted partitions of the drive. This is a viable option if you are concerned with the balancing act of security and performance speed. Remember you are potentially giving easier access depending on the threat to the device. Notice how software encryption is again the corner stone of these options. Let us say some asshole who has hacking skills steals your computer with crypt currency. Or has important documents like your tax returns or something. Or how about something worse. Work information. Like say you are a lawyer or something. FYI, I am not a lawyer but you would have to be a fucking idiot to not a) software encrypt your client files. b) Have backups of client files which also be encrypted with software not hardware. Your computer is stolen. They look at it and will probably, depending on the hardware drive as of late 2019. May take days or weeks depending on the various weaknesses know to each type of drive. Note: There is one hardware configuration I have 'heard of' that might be viable hardware encryption. However that is in configuration of a particular manufacturer. So they break into your hardware encrypted drive but will no either find encrypted files which should be way harder to break. Or encrypted volumes, which themselves will be harder to break. Unless this person is going to commit more time and money to seeing if you have any data on it worth stealing. They will probably wipe the drive. There is also the consideration of the thief profiling you. Remember the smarter thief will choose their targets for gain. Typically you can Gage a persons immediately. We are focusing on what the criminal can steal an gain a quick profit off of. Cash, jewelry, phone, etc. Same thing goes for home invasions too. If a data theif thinks you are worth the effort they will take the time to steal your tech and pound on it. Other times if they might take a quick run down on the device and see if their might be something of value. Also consider your probable threats. A common robber normally does not have the skill sets or time to try to break your layers. Think about all the people who are now fucked because hardware encryption was poorly implemented. www.zdnet.com/article/flaws-in-self-encrypting-ssds-let-attackers-bypass-disk-encryption/ www.computerworld.com/article/3319736/bitlocker-on-self-encrypted-ssds-blown-microsoft-advises-you-switch-to-software-protection.html www.computerworld.com/article/2995516/western-digital-self-encrypting-hard-disk-drives-have-flaws-that-can-expose-data.html www.theregister.co.uk/2015/10/20/western_digital_bad_hard_drive_encryption/ community.wd.com/t/what-do-you-think-of-the-security-flaws-in-the-western-digital-security-encryption-on-our-harddrives/172354 www.scmagazine.com/home/security-news/encryption-flaws-in-solid-state-drives-enable-unauthorized-data-access/ www.darkreading.com/vulnerabilities---threats/critical-encryption-bypass-flaws-in-popular-ssds-compromise-data-security/d/d-id/1333207 threatpost.com/samsung-crucials-flawed-storage-drive-encryption-leaves-data-exposed/138838/ nakedsecurity.sophos.com/2018/03/20/nine-years-on-firefoxs-master-password-is-still-insecure/ www.reddit.com/r/firefox/comments/9zwgkt/how_secure_is_firefoxs_in_build_password_manager/
@wiktorwektor1234 жыл бұрын
I also use KeePassXC with Firefox add-on, but for synchronization of .kdbx file between devices you can use Google drive without problem. But before you do it secure your password database not only with password but also "Key File". Store this key file on at least 2 USB sticks/drives and plug in to computer only when you need access. Your database on Google drive with strong password and without Key File is perfectly safe because they not only have to break strong password (which is rather pointless) but also have key file. And you cannot even start breaking password without this file.
@jamesedwards39234 жыл бұрын
What you can do is use something like bitwarden. If you wish to have password shared amongst family.
@ra5e5 жыл бұрын
now many website replace Keepass with KeepassXC even privacytools recommend KeepassXC ?
@techlore5 жыл бұрын
KeepassXC is a fork of Keepass. It’s more frequently updated so many people choose to use it. Completely your call
@ra5e5 жыл бұрын
@@techlore thank you for your reply I mean before privacytools.io recommend KeePass but now if you check they replace it with KeePassXC not just privacytools many other websites remove keepass and recommend KeePassXC I don't know why?
@ayhon3 жыл бұрын
What about bitwarden as a password manager?
@summoner14512 жыл бұрын
Making a bunch of different databases in your password manager also means a higher chance of losing your passwords for ever and having to remember more passwords to each database. That seems like a ton of work. How do you keep track of all your passwords for your password mangers, encrypted files like the VeraCrypt container that you keep your password manger in and your TOTP authenticator etc? I would never be able to remember all those passwords with out 1. Writing them down on paper and risk a fire/flood etc to cause me to loose everything 2. Write them down and store them in plain text on my phone or something and you suggest not writing them down in plain text and using a rittle or something similar. That is a ton of stuff to remember.
@r3pents75 жыл бұрын
did Techlore switch to linux yet? i love u
@danielandrews53574 жыл бұрын
I'm thinking of making my own password manager that syncs only with Bluetooth and stores data locally in encrypted form with a unique key for each device. So if you need to sync, you'll need to bring your devices physically closer. Sure it is less convenient, but I'd take that over ANY cloud service any day.
@jamesedwards39234 жыл бұрын
If you have the knowledge and skills. Then go for it.
@hamzehqatash62562 жыл бұрын
Thanks a lot 🌹
@annabanan55184 жыл бұрын
Any reviews for ExpressVPN?
@DescendantsOfEnoch5 жыл бұрын
Do not use simple number for letter replacements! Make sure it is at least 12 characters. Use special characters very randomly and never capitalize the first letter in words if a phrase
@RedFenceAnime5 жыл бұрын
LineageOS has a option "Lockdown" when you hold power button. When pressed the phone will stop displaying notifications on the lock screen and require a password (or pattern) to unlock.
@techlore5 жыл бұрын
DavidFish is this on every phone? Can’t find this option on my 6P
@patiencelarson41285 жыл бұрын
@@techlore I have this option on stock android P ;). You can find it in Settings > Security and Location > Lock screen preferences > Show Lockdown option
@techlore5 жыл бұрын
I no have that
@colmcorbec70315 жыл бұрын
What about something like Dashlane and a physical key like yubikey?
@skaruts3 жыл бұрын
The great thing about password managers is that they also help you remember the million sites you made accounts in.
@rageagainstthemachineragea24975 жыл бұрын
One of your Greatest Videos! 😃👌👍💯
@TheExsi5 жыл бұрын
What is your opinion on bitwarden ?
@anthonyfmoss5 жыл бұрын
Did you see in the video it flashed up several times “ not all password managers are created equal - try out Bitwarden”. The reason the video said this is that it is not proprietary software it is free and open source (FOSS). For that reason, this makes it loads better than the others. I’ve been using it for ages and it’s absolutely fantastic
@TheExsi5 жыл бұрын
Thanks for your reply honest i didn't find it on the video but on privacy tools.
@jamesedwards39234 жыл бұрын
I have not used it. However from what I have read and seen. I would recommend it. Open source, so please donate to the project! Plus if you have a family, it cost twelve dollars a year for advanced features.
@bigdjers4 жыл бұрын
Very informative video. Thanks for the knowledge!!
@skaruts3 жыл бұрын
I like the idea of Master Password, but I think it has a few potential weaknesses. - maximum password length is 20 characters - the app comes with passwords visible by default, which is sloppy imo, and even if you turn that off, it will show the password when you click _"set/save personal password/login",_ making it susceptible to keyloggers that screenshot your actions. - if you need to renew a password, you have to raise the password counter. I'm not sure if this is a problem, but if your user settings are stored locally, then you'll have to remember that counter for each site when accessing from elsewhere, which is quite hard. Or if you lose your user settings, then you lose those passwords. Not a big issue but... An observation, they state on their website that _"Most browsers will then ask you to "save" the site's password. If you're comfortable with that, it's a good way of skipping the above steps and logging in even faster next time."_ A sloppy suggestion, on their part?
@ali575553 жыл бұрын
I would really like to see bitwarden password manager vs Dashlane
@shawnbenn4 жыл бұрын
Geat video. you didn't mentioned the option of 2FA in the passwords manager.
@s92091222224 жыл бұрын
Is Firefox Lockwise safe if there is a local password for it?
@jamesedwards39234 жыл бұрын
Never use the browsers built in password manager. Unless you have no choice.
@d0g_0f_Christ0s3 жыл бұрын
Is Master Password produced by 'devland'?
@Yeeeeeehaw5 жыл бұрын
Loved this topic Thanks
@jamescampbell49164 жыл бұрын
Your the best ! Still hunting for that pdf you mentioned in previous vids, but no biggie to write a list :)
@sunlite97594 жыл бұрын
Top draw presentation. ...but did I hear anything about two step sign-in? Phone verification?
@techlore4 жыл бұрын
It’s the very next lesson of the series
@r3pents75 жыл бұрын
Also replace the word passwords with passphrase!
@jamesedwards39235 жыл бұрын
A passphrase is the best compromise since phrases are easier for the human brain to remember. You can use salts and peppers to pass phrases. The problem is that many websites do o.k. to crappy jobs securing passwords. We all know this in general. Also you have to remember a computer can do a better job than a human with generating and remembering passwords. So the logical course of action is simple. For the passwords you must remember, passphrases are best. For passwords you do not have to remember. Use some sort of encrypted password storage system. In conjunction use a good password random password generator. The third problem is that people want to remember passwords that are not mission critical. If you do not need to remember the password, store it in an encrypted password storage of some sort.
@jamesedwards39235 жыл бұрын
In context, they are synonymous. Only somebody complete ignorant or is an idiot could not figure out password and passphrase are interchangeable. When discussing this.
@quatie5 жыл бұрын
How many characters should you use for a password?
@jamesedwards39235 жыл бұрын
Using a password manager. Creating a master password. The answer is as long as possible.
@ultrasounddog9428 Жыл бұрын
KEEPASSXC❤
@toxiikevinator5 жыл бұрын
awesome!
@josephstarling73595 жыл бұрын
There's an iOS app called Cloaker that works like master password - it generates a matrix of values based on a pin and text entry that can be used as passwords, pins and random looking answers to security question. Has anyone used it? What are you thoughts?
@vaibhavgupta25163 жыл бұрын
I use keepass on Linux
@UCpRLf-3JlOxOyZ1vGEEMlGQ5 жыл бұрын
No mention of two-factor authentication? Enabled on your password manager your master password is not a single point of failure. Enabled on all other services your password manger is not a single point of failure. And store all two-factor authentication recovery codes in a separate password vault or physically on paper.
@UCpRLf-3JlOxOyZ1vGEEMlGQ5 жыл бұрын
@JADFcentral less secure yes, but I would trust them to some degree with 2FA enabled (for non IT people who cannot keep a database file/KeePass in sync). Reason is of course without 2FA your account is accessible from anywhere.
@techlore5 жыл бұрын
2FA is the very next lesson. Patience young one 😉 The end of this video says 2FA is arguably just as important as a strong password.
@travelerexperience4 жыл бұрын
Thank youuuuuuuuuuuuuuuuuu!!! What do you think about NordPass? Thanks
@techlore4 жыл бұрын
Really 0 reason to use it IMO-that goes for any paid closed source password manager. Use bitwarden if you want a free and open source password manager with simple cloud syncing and integration, or keepass for something local
@kevinkeck6403 жыл бұрын
With Android lock swiping you can also see the oil residue left behind and see the pattern
@centurion81584 жыл бұрын
I just 32 char length alphanumeric strings as my passwords for everything
@jamesedwards39234 жыл бұрын
That is a problem. Yes, length does help with a password. However anybody who has the hashes of your passwords from websites. Knows you fit a standard demographic: Do not use length. Do not use special characters. Probably do not use upper and lower case. The weaker your attack surface. The easier it is to break your hash. This also tells me that you are trying to remember all your passwords. Which may not be true. However would not surprise me if you are. Which means once one or two of your hashes are compromised. They can figure out what you did and backward engineer it.
@pumpkinpie72545 жыл бұрын
Locked out of LassPass and tried everything PLS ! Any advise ???
@ishzsbxux4 жыл бұрын
Lmao
@jamesedwards39233 жыл бұрын
This is a year ago, but lets go over what you did and did not do. For future users. 1) Did you enable all recovery options absent SMS? You should neve use SMS unless you have no other choice. 2) Did you export the database to plain text? Or a .pdf file? Obviously you would be encrypting that backup in a veracrypt volume of course. 3) Did you have your OTP option enabled? OTP is something like Google Authenticator. 4) Did you periodically transcribe your data to a keepass file?
@htg415 жыл бұрын
Good and helpful lesson :)
@anirdbify5 жыл бұрын
I want to move on to bitwarden. But it's tough to trust 1 person compared to trusting a well known company like 1password or lastpass. And keypass just doesn't work on ios. Oh well, it's all a mess.
@techlore5 жыл бұрын
Bitwarden is open source. Don’t trust any company, trust code that’s viewable to the public.
@techlore5 жыл бұрын
Also KeePass does work for iOS. What’s not working?
@anirdbify5 жыл бұрын
Techlore Well, no official version, no trusted community fork, some like minikeepass pulled off the app store, etc.
@johndaubner9733 жыл бұрын
How frequently should you change a password?
@jamesedwards39233 жыл бұрын
You have to conduct threat modeling. Any password that is not in your head. Which should be almost all of them. Should be in your password manager. If you hear of a data breach on a site. Where the hashes were stolen. Change the password. If you hear of a site that stored your password in plaintext. Change the password. If you had to give up your password or if you know it was compromised. Change your password. If your device was hacked. Change your password.
@johndaubner9733 жыл бұрын
Thanks!
@mulljacob5 жыл бұрын
I think a court in California ruled that bio-metrics is protected but I would still stick to just passwords until a clear precedent has been established.
@jamesedwards39235 жыл бұрын
Most of the people I know, seen on the street, etc. Are lack luster to garbage. 1) Most use biometrics as a single factor of authentication on their devices. This is beyond fucking stupid if you give a shit about security. 2) Most use PIN codes instead of passwords. The potential strength of a code is greater if you use a password. 3) Many people do not encrypt their phone. Of course you have to exclude Apple Users since it is turned on by default. 4) Most people do not encrypt their microSD cards. If I ever used biometrics it would be part of a multifactor system.
@tonydarcy74754 жыл бұрын
The problem with KeyPass is that you can’t use it on your phone. That’s a pretty important feature these days, especially if I’m going to stop using iCloud Keychain.
@techlore4 жыл бұрын
You can 100% use KeePass on your phone...
@tonydarcy74754 жыл бұрын
@@techlore I see they do have a mobile app but it appears to have some issues syncing the database based on the reviews for it. Maybe Bitwarden would be a better option for me.
@joec3185 жыл бұрын
Storing your Keepass vault on your cloud drive doesn't make much sense since your cloud drive password is probably stored in your vault.
@FunctionGermany5 жыл бұрын
he's referring to cloud sync, not simply uploading / downloading the file, that would be stupid. if you lose access, you still have the file locally.
@techlore5 жыл бұрын
Exactly. You can make several copies of your database, including a local backup.
@somethingcoolgoeshere3 жыл бұрын
pin codes are also rather insecure as someone may be capable of getting it through the fingerprints on your screen (just clean your screen after you are done with your shirt)
@stefanosgeorgiou34895 жыл бұрын
I think the comment that a good password does not use dictionary terms is partially misleading. Diceware passphrases exist for a reason and currently it's the most secure type of password you can have if you need to memorize it.
@jamesedwards39235 жыл бұрын
Yes and not. I would still recommend putting in number s and symbols. Larger character set means more guesses.
@__________59815 жыл бұрын
I heard that some cyber security people are starting to recommend using pass phrases.
@jamesedwards39235 жыл бұрын
You say that like it is a difference. There never was a difference. A password is anything the application allows you to use.
@Gilotopia4 жыл бұрын
All this advice is good but highly impractical. Just like that xkcd comic you're suggesting solutions that are easy for computers but hard for human brains.
@techlore4 жыл бұрын
Using a password manager really isn't that impractical. For many, it makes life much easier and organized.
@goffdog60125 жыл бұрын
First in spirit
@therealsteve24374 жыл бұрын
Video Begin at 0:39
@probablyahumanbeing46374 жыл бұрын
I made a secret emoji language
@snook.15 жыл бұрын
#25 Is the most important password of them all.
@4ndj3 күн бұрын
Kevin Mitnick reference? xD
@roflchopter11 Жыл бұрын
correctHorseBatteryStaple has entered the chat.
@Josh-zn4yi5 жыл бұрын
Is it bad that my eyes instantly went to "pornhub" at 00:05
@dragonatorul4 жыл бұрын
You're doing great work with this series, but I have multiple issues with the advice you give in this particular video. 1. The method of generating "secure" passwords you recommended has several major flaws: a. It is too complicated for most people to bother with and will lead to complacent behavior like replacing just a few letters (which is easy to brute force) or using just one "secure" password everywhere. b. The passwords are not easy to remember by the user, but easy to crack by an attacker. Even if you use leetspeak the best source of entropy in a password is length. In short the longer the password the better. That's why I don't agree with your advice to not use words. In fact you should use words, lots of them. A password of at least 3 words, better if they're from different languages, with special characters as separators will be more secure than a one word password with leetspeak simply because it will be roughly 3 times the size. The more words you use the harder dictionary attacks get, exponentially in fact. This has the added benefit that random words create interesting patterns in our brain which makes them easier to remember. 2. Cloud based password managers are not necessarily bad, or worse than local solutions like keepass. In fact I'd argue that your recommendation is much more insecure than a cloud based solution. First of all, if you actually read the details of the attacks on LastPass you'd have observed that no actionable information was lost, and that the company acted swiftly and transparently to secure their systems and notify affected users. Not only that, but they have a track record of swiftly responding (within hours, which is practically unheard of in general) to researcher reports of potential security issues, and have an active bug bounty program. These are the kinds of things to look for in any software, but especially password managers. Open source does not necessarily mean more secure. It takes money to maintain a bug bounty program so often without government involvement (such as in the case of VLC) or without the software being adopted by a big company (like AWS) there is much less incentive for researchers to bother poking at it. Even if they do, if an open source software is not actively maintained or if the maintainers are not easy to interact with or fast to respond, even if someone does finds a bug it can sometimes take months to be fixed. Even if bugs are being fixed, if there isn't an easy, secure and reliable way to push out updates to all instances of that software it will most likely not be updated by the users, which are more and more expecting software to just update itself these days. In the case of keepass you also have to deal with multiple different versions for different platforms, or multiple plug-ins, all of which are developed and maintained in separate projects by separate people and held to separate standards. A security flaw in one of them can affect the entire system. But the biggest issue with keepass, and the way you recommend it be used specifically, is that it is just a file. Even if it is encrypted, that encryption is based on the password used by the user. If you upload the file to dropbox, and someone gains access to your dropbox account the first thing they'll try is the password used for the dropbox account. If that doesn't work they can just setup a brute force attack on the file and hit it all day long for as long as they want. If they're smart and dedicated enough they can do it in parallel on multiple machines and keep at it with thousands or millions of tries every second for as long as it takes to crack it open. There are some mitigations against this, but you did not mention them. This is not a problem in cloud based solutions because they will (hopefully) be able to detect and stop brute force attempts, notify you of any breach attempts, and you can use MFA as an extra layer of protection (which you never even mentioned once in this video). I could go on, but frankly after all this typing I'm just too disappointed in the contents of this video to bother. I hope you revisit your research on this and take another shot at this video in the near future.
@hackerman21835 жыл бұрын
Finally!
@techlore5 жыл бұрын
I know! No more delays 👊
@justinw87164 жыл бұрын
2160p on your phone squad?
@ardaaylar55034 жыл бұрын
25
@nightmarenova67485 жыл бұрын
360p squad!
@pra.cent204 жыл бұрын
240p 😆
@wlcmtoricefieldsmf3 жыл бұрын
144p 💀
@edwardlouisbernays24695 жыл бұрын
Gee Wizz I use password manager in Firefox, on GNU Linux Machine, I am allergic to MS Windows; user becomes psychotic. When Ubuntu was offered in 2004 I was released from the Insane Asylum in San Diego, Ca. I am trying to locate other MS Windows Psychosis Victims to file a Class Action Law Suit, I live in San Francisco. Hobo BoxcarroI may not be Crazy, but MS Windows put me in the Big Mental Hospital called San Diego Psychiatric Hospital 3851 Rosecrans St, San Diego, CA 92110Gee Wizz, batman, it was awful!
@Aerox905 жыл бұрын
I'm still sceptical towards passwordmanagers =/ especially those which stores my passwords on their server and can be revealed to anyone who comes over my master-password! :S Without using a PM, a hacker has to guess which services and websites I use, and which credentials are used to access them respectively. If my passwordmanager gets hacked, then the hacker is served with a complete map over every service and website I use AND the unique login-keys for each one!? 😟 Can auto-filled passwords be "keylogged" somehow? Like a "Man-in-the-Middle" attack monitoring the data passing from, let's say LastPass for example, to the app's/website's passwordfield? Or be extracted from the browser/app by a spyware after being pasted? :S I hope future phones and computers will have a physically separated storage, not accessable to the main OS, where things like passwords can be stored 100% unreachable unless you have physical access and knows the masterpassword to the storage! Those could be displayed as a floating window streamed directly from the isolated system to the display, without needing to pass through the main system, and thus not visible on screenshots etc! 🙂 (Please, feel free to use this idea without crediting me 🙂 I don't feel the need to come up with inventions to earn more money, I just want to use the stuff...! xD)
@aerdian5 жыл бұрын
If the question was “Last name of your favorite teacher” and I answered honestly, I know at least one person would be able to super easily gain access to the account...my favorite teacher, since I actually told him/her that he/she is my favorite teacher 😂
@jamesedwards39234 жыл бұрын
You treat secret question answers like passwords.
@charliebrownau5 жыл бұрын
Please remove ALL music and upload this video then to bitchute
@Mbeluba3 жыл бұрын
I really don't agree with the password manager database compartmentalisation. Just tell people "use biwtarden, don't reuse passwords, use otp 2fa" Being able to do this basic thing will enable people to continue with other compartmantilsed privacy things and free up mental energy. Giving that 1 minute long info in the beggining and only after that adding the additional information (the additional upending phrase is genius, although I don't think 99% of people would benefit in any way from it)
@nero18105 жыл бұрын
The password tips are garbage tbh, the only thing that matters is length.
@techlore5 жыл бұрын
Complexity is extremely important.That is not the only thing that matters
@nero18105 жыл бұрын
@@techlore It is a myth, this comic explains it well: xkcd.com/936/
@justinw87164 жыл бұрын
Just to be sure Don’t use words from the dictionary.
@nero18104 жыл бұрын
@@justinw8716 No, please use words from the dictionary. For example river-bird-hexagon-kappa is a supersafe password
@justinw87164 жыл бұрын
@@nero1810 I have a notebook so I could just write it down if it’s too complex
@idankcai77875 жыл бұрын
hi lol.
@techlore5 жыл бұрын
Ay
@idankcai77875 жыл бұрын
@@techlore how was your day then?
@techlore5 жыл бұрын
No u
@idankcai77875 жыл бұрын
@@techlore That's hardly funny mr. Please reconsider your choice of vocabulary next time.
@huntedghostsnero70355 жыл бұрын
The only secure vault you will ever need is in your head, find a dead language, pick up a few words that appeal to you, personalize as fits your way of thinking. Let the algorithms running on supercomputers spin around your hashed passwords all they want.
@jamesedwards39235 жыл бұрын
You forget dead languages are still archived in libraries. You forget that humans have a server limitation in complexity and memory. I say use those for the codes he has to remember. Everything else store in an encrypted management system.