le CTRL A + CTRL + C has arrived

@@priyapepsi Oh! You hacked my unhackable password storage! 😂 😂 #Respect

@@MarcCastellsBallesta l33t h4xx0r skillz bro

Doesn't work. I have to keep 300+ strong passwords.

Class bad practice, but with remote working now, doesn't seem so bad. As long as your kids aren't trying to access

Classic*

@@oberlinio Not really a bad practice, if you do it the right way (nobody else you do not trust can easily enter the room or take a look at the note from outside). Or you could also lock the note with the passwords in a save. Most people do not encrypt there system. So somebody with physical access could already get most of the data. So preventing physical access is the most important thing. It is also way better than trusting some cloud service with your passwords.

@@addygreen8919 Yes it is. The answer to physical access as a security flaw is not to make it easier. If it is just as easy to extract passwords from an unencrypted computer, the solution is to encrypt the password storage, not make it easier by just sticking the password under your keyboard lmao

@@XxDarkXxXSasuxX If physical access to the room with your PC is not that easy, it is way more secure to place the note with your passwords under the keyboard, then what a lot of other people are doing: Using some shady cloud password manager. It is also not like that you need to put the note with your passwords directly near to your PC. About secure and open source password managers: I am pretty sure that there will be a lot of people, who get problems in some years, when their password management software does not work anymore for some reason. Maybe the user accidentally deletes some stuff or the software does not work with upgraded packages. A lot of this people won't be able to deal with this problems by them self and it would have been way better for them, if they would have just wrote their passwords with a pen on some paper.

KeepassXC!! Why KeePassXC instead of KeePassX? KeePassX is an amazing password manager, but hasn't seen much active development for quite a while. Many good pull requests were never merged and the original project is missing some features which users can expect from a modern password manager. Hence, we decided to fork KeePassX to continue its development and provide you with everything you love about KeePassX plus many new features and bugfixes. Why KeePassXC instead of KeePass? KeePass is a very proven and feature-rich password manager and there is nothing fundamentally wrong with it. However, it is written in C# and therefore requires Microsoft's .NET platform. On systems other than Windows, you can run KeePass using the Mono runtime libraries, but you won't get the native look and feel which you are used to. KeePassXC, on the other hand, is developed in C++ and runs natively on all platforms giving you the best-possible platform integration.

@@1MinuteFlipDoc I'm actually using KeepassXC. It's not like it's really good, but it's the best client for keepass for now. I hope there will be something better looking and more stable in the future

@@Rundik I don't see how it leaves anything to be desired in terms of looks or stability. I would be happy to see a couple more features though - for example deeper configuration options for backups.

@@holleey Deeper configuration options for KeePassXC ? Like? It has everything you need.

@@hammerheadcorvette4 currently, all I am aware of is one toggle option "backup database file before saving". this creates one copy of the database file sitting in the same folder as the original. this is the most barebones implementation of backups possible and leaves much to be desired. specify a custom filename pattern and location for the backup. specify multiple backup locations. then if we go more advanced, upload the backup to a server. automatically mount an external drive to backup to. have different triggers for backing up, not just on saving the file. ... so you either have very barebones requirements for backups personally, or I am not aware of some obscure options.

And hiding that!

Sure... Manually typing 30 random characters passwords multiple times a day is so fun! Oh and that's a known fact that friends NEVER betray you. That never happens.

@@vaultdweller966 Most websites have indefinite sessions so no clue what you are talking about maybe i might have to type in a password once or twice every day at most

unless they press the "save password" button on the browser XD

Until the notebook is found by someone beside you... use a "double blind" method with PW manager ie ADD an extra memorized "PIN" to all the long complex auto generated PWS your manager makes. Then even if the manager gets hacked and decrypted, your PWs saved within are all incomplete anyways only YOU know the extra "PIN".. And yea you could use this method with a note book too, to be fair lol

@@fightlikabrave This shit is genius, never thought of it. Even if its an simple addition like a single letter, noone knows

@@fightlikabrave Yea I'm gonna add a symbol instead.

I like that, clever solution.

But you have to encrypt before pulling the Keys.

​@@danilodistefanis5990 I don't think decrypting the keys changes anything on the actual storage device that you have to 're-encrypt' when you want to unmount. wiki.archlinux.org/title/Dm-crypt/Device_encryption#Cryptsetup_usage is how I've encrypted it with luks encryption and I'm fairly confident that even if you pull out the drive after decrypting, everything is still encrypted when you plug it back in.

thats what i use. its fantastic

I’ve been running KeePassXC for a while now. Working great for me. Good project, and cross platform for those who need such features.

Thanks everyone here! nobody talks about keepass online. Its always laspass for the normal consumers and bitwarden for those that know a bit more. I like keepass's local assword database better than both those solutions.

Syncthing is an incredible general utility for syncing files. (No hosting required) But any other synching method is nice Difference with bitwarden is ease of extensibility But to each tgeir own, peoples usecases and preferences differ

there are pass compatible clients people have made that work for ios, as well as one android client. for some reason there is more choice on the ios side.

Left Lastpass for Bitwarden. Lastpass restricts now access from one device only free plan.

@@vitastimator yeah i use bw as well

@@vitastimator yep…

you dont need a master password to open a notebook

​@@NamelessStudiosInc But you need to physically open the notebook. So really if you get a key logger or any remote attack thrown at you, well. Logging onto KZbin giving up your "master" password is giving the attacker the password to EVERYTHING. But with a non network or computer accessible password storage (notebook) is going to make attacks limited and take time and energy to extract anything. Or they physically brake into your home. Like if a attack is about taking your passwords then it is going to do it. But if we talk about a general safety from a big non focused attack. Well. DO NOT RELY ON IN COMPUTER CLIPBOARDS OR ANYTHING THAT CAN BE EXPLOITED WIDELY! Better not rely on stuff that can be exploited by a bad actor for big effect. Like buying a NAS server where the software (being a big target for profit) infect and ransom people simply for being a big target that pays off. Since a attacker have a good chance of a payoff going for that! But not so much attacking someones offline NAS home setup. You need to become a big target to be worried about this stuff. No! Worry about the wide attacks that can be a PAIN! Like passwords leaking outside of your control. At home you should be in control. If your afraid of some real attack? At that point wtf are you up to? I mean if they take everything your going to notice the attack and have a real problem. You lost your stuff! And if you do not notice a physical attack then you are in even bigger problems. Since then the attack was not about taking the computers but information. Passwords, data etc. But to go in to your place just for passwords or data?? What? Like common. At that point your best way to defend yourself is a gun or something... And security systems and what not. Passwords matters very little at that point since this are real attacks towards you! You need to have some serious passwords worth something that a "master" password by default is to much of a security hazard to allow. Like common you do not put the nuke passwords next to a KZbin password. So really why on earth this hole debate even exist. If you can smash the computer to bits then a sticky note is not that big of a security risk. Better avoid a attack getting that close to the computer in the first place. Really passwords fail, like most things. Really it is better to split stuff up and limit what a attack can get from you. Like having a dedicated machine for just banking. One for web etc. And make the attacks pointless. Or hard to pull off. Like there is so many point of failures that your passwords are quite frank not safe to begin with. Heck having a network of any kind is the biggest security hole you can have. So really the levels of problems are so deep that screw passwords. You got to little control around it to make it secure! Your better off not having passwords at all. They at best can be looked at as the locks on school lockers. Flimsy and easy to defeat. But do the job for wide attacks to not go nuts. Not much more. I gladly sticker stuff up that only someone physically can see from the computer users view. Since they are meant to see and know it. Not some security hole in software or hardware eyes. Unix Pass works grate on a admin level or some shit. Multi user computers kind of deal. But here we are talking passwords security at home. It should be the safest place you got. So why NOT store it there??? You live in the same room as the enemy? Why not disconnect your computer from that storage media of your passwords? Why store the keys/passwords on computers at all? It is all about laziness. Really easy password and a second layer of defense is plain better. Since then a attack can trip alarms. But that is not a option every time. So plaster passwords around your desk or server at work all you like. Since there is no security in this world. Only ways to be safer. If a password really is impotent then you learn it. Or make a safe box that no network can reach into. Physical attacks can kill you, computers can also die to a baseball bat. And both can be made to talk. :)

@@TheDiner50 I don't use pass, I use keypassxc with a password (20+ chars) and a keyfile. And I recently bought 2 yubikeys. Not sure about you but I feel kinda safe

When KeePassXC exits?! Why go through the trouble.

Depemds how strong the encryption is. AES 256 bit? Yeah sure, go ahead.

you would also have to have a copy of your pgp key. either printed out or on a usb key which is another vulnerability

@@RolandSharp pgp key which is anyway protected by password! Maybe the revokation certificate is not instead, not sure..

Good question.

I think the output is not saved. Only the command. And you have to give it a master pass.

The shell history save all given commands, entering a password after executing i.e pass, is an input to the programm not the shell, meaning it will never be saved in the shell history unless you accidentaly enter it in the shell itself It is the same with sudo

can I ask why? because they don't need to be secret, firefox sync between mobile and desktop should be enough i think.

@@Nathanwithz Because inuae multiple browsers and i change them often i dont want to import everything everywhere all the time. I rather have it all centrally saved or backed up in my private cloud and on my machine

@@BobDoe_69 just export it to a git repo?

The thing about bitwarden is that there is a master backdoor to force updates (leaked by disgruntled developer) that possibly could be used to update malware to users machine, or if company's server was hacked could force malware to users.

@@littlepeon Do you have a source?

@@GalacticAccidentyes an ex developer raised concerns: replace (dot) with actual dots: community(dot)bitwarden(dot)com/t/three-major-bitwarden-security-issues/14528

@@littlepeon Thanks

What hashing algorithm do you use? what if some site has a limit on the length of the password, since hashes can be big. And the salt, is just a string or do you have something else.

@thefallenshadow No you didn't read what i said. I said with a salt. I use argon2i and a randomly generated salt. Its impossible for somebody else to guess the password without hacking my computer (and even then they cant take the salt without a key logger). Its as safe as a password manager except you dont need to store password anywhere. Maybe you should read more about it.

I mean, maybe shouldnt have posted that to KZbin cuz now the weakest link in your password security is the complexity of that salt.

you have to type the passwords in eventually. when you do, the keylogger will see it all the same.

@@Nathanwithz But they don't steal all your passwords at once then, just that single one

Bitwarden saves your password "good knows where" how can you trust it ?!

@@maumuxas ah, youtube is shadowbanning me, but the decryption happens client side and the server only holds encrypted data. This is verified by third parties and I did check the source code too And in my case I have my own bitwarden server

@@jimbo-dev I can imagine if there was third party check that data safe for hacking, but is it safe for loss ? if hackers simply delete it, you loose all your passwords. Could happen many things, like fire, electricity problems, or anything else so you loose your passwords ?!

Great idea

Similar here. Bitwarden (or to be precise, its lightweight implementation Vaultwarden) is open source and can be self-hosted, so you get full control of the data. Have set up automated encrypted backups in cloud (in case if house burns down) and Wireguard VPN (hosted on same rpi) for accessing from smartphone outside home network. As a bonus, mobile ads get blocked by pihole (again, same rpi), when connected to VPN.

LastPass and Bitwarden both advertise team password solutions. Don't use them, so cannot advise.

pass works with usernames, emails, security questions and even 2FA

dk bout git but syncthing is very good for this exact problem

I mean, it's probably more secure than like 80% of ways that other people store their passwords but you should make sure temp files of the unencrypted file are being deleted.

He is feeding speculation. Password managers have a Secret key which is stored locally and never shared to the main server, and that with a combination of a password is used to decrypt the vault.

Honestly, you could just have a strong password and backup the naked key. It does mean you make the two factor security into one factor security but given a strong password that shouldn't be a big problem.

use pass in WSL :P

Keepassxc, bitwarden and lastpass

@@RyanRyan-no4vt thank you

Not true, you can also store your usernames in the password files. And the extensions like rofi-pass can also autotype username/password/whatever into wherever you like.

@@MoopyToopy How's that supposed to work? If you copy something into Dmenu, you can either copy and paste the password or the user name, since it is two different fields on a website.

@@maxarendorff6521 KZbin keeps deleting my comments so I'll try one last time. I can't speak for dmenu because I use rofi but I'm assuming it's similar. I've installed the rofi-pass extension which has a feature to autotype whatever you like into whatever program you want. It's not limited to just usernames and passwords and I use it all the time.

@@MoopyToopy Ok cool, thanks for the clarification

You trust Google with your passwords ?

@@wikingagresor I trust their servers, they never get hacked.

@@UtahTaffer ok, if you don't mind some admin checking your accounts out of boredom...

@@wikingagresor I'd know if there was a login from a IP I don't use. Had that issue with someone trying to login to my Warframe account from India. The 2FA stopped them.

Not really about trusting Google's servers but trusting Google won't give up that info to some third party for any amount of money.

Can you explain it ? I'm interested to know

​@@nostalgia9256 They are many way to do that and I changed often through the years, but for example, in the past I was doing something like this. Use a salt, something long enough a phrase that makes sense to you. To it, you do some basic transformation like we often do, some random leet or deliberately misspelled words to make it harder to guess. Then add a pepper to it which you get from the service you want to register the password. Then the most important, how will you crumble the later result, you apply to it a series of transformation you can do manually, a classic encryption algorithm or something you made up where they key has something to do with a value you take from that same service you want to register. If it's not enough, you can still pipe the result through a hash algorithm. You should change the "salt" and the "technique" after a while. The history behind this is, back in the day when I was student, I had to use different and clean computer very often. At school they flash the hard drive each night. So, no way I could use a password manager and there were absolutely no way I put it on a paper or else. So I came up with this technique which I still use today.

Why though? Remember 6 passwords and you never have to go through the hassle again. Also you never 'forget' sites that you used, which makes your digital footprint more easily accessibke to you

Well you go to one of your 3 backups and restore the data...duh You do have 3 backups(one off-site) don't you?

You can add whatever information you want to the password files that pass manages. Check the section 'Data organization' on www.passwordstore.org/ for examples.

Also pass works with 2fa, you just get the pass-otp package add the token using the pass-otp command.

Confirmed!

Thanks @@DistroTube 😁

huh? does nothing with the clipboard, at least on my end. I'm on ubuntu btw. doing: $pass show some/of/my/passwords just prints the pass to stdout, what you do with that afterwards is your own choice

Dmenu_pass automatically passes it to the clipboard, also it would be really inconvenient just retyping it from the terminal to the browser. And something about my password appearing in plain text bothers me

@@lamprospitsillou6325 that's what 'reset' is for! lol My passwords are mostly human readable so I just have to see them once to remember them and then I can type them down by hand. if you have random generated ones then yeah a safe way to paste them is necessary. there's no way to easily delete your clipboard manager's history?

@@lucianoosinaga2980 Maybe i could remove the last line entered, that is not such a bad idea, ill just have to not copy anything else for 30 second which isn't a big deal. Maybe ill give it a shot again!