Are Password Managers Safe and Secure?
Vložit
- čas přidán 30. 01. 2023
- Password managers are a necessary tool because it is almost impossible to keep track of all the unique passwords we need for each website we use. However, any data that is stored in the cloud is vulnerable and there have been some high profile data breaches. So, are password managers truly the safest option or are we all putting our eggs in one basket?
---
PHNX the super-slim smartphone cases: andauth.co/GetPHNX
This is an affiliate link.
Check if your email or phone is in a data breach: haveibeenpwned.com
Twitter: / garyexplains
Instagram: / garyexplains
#garyexplains
I personally have over 400 passwords all unique and random. It’s almost impossible to not use some kind of password manager. Who the hell can remember hundreds off all unique random different passwords lol. I use iOS built in keychain feature
Lmaooooo you use an Apple service for passwords
As another comment I would suggest Aegis as a 2FA App. It let's you set a password for access and allows you to back up your entries.
So as long as you have access to your backup your phone can get stolen or brake down and you don't immediately lose access, in case you forget your backup codes.
The backup feature only works with a password, so even if someone should get access to your phone they first need to decrypt this file as well to access any of your accounts.
I used Google browser for the longest time, until I ditched Google browser, then went to Last Pass, now I use Bitwarden. Guess I should change my Master password from chocolate bar now:)
For 2FA I highly recommend Aegis if you're on Android. Use Aegis alongside Bitwarden myself.
I'm using type 1 (KeepassXC and KeepassDX) used with a cloud system like Nextcloud and you can synchronize it over multiple devices.
The kdbx file stays on Nextcloud.
I use KeePassXC. I sync the password database file among 2 desktops and a laptop with my cloud backup solution -- Restic and Backblaze B2. On my phone, I type in passwords manually. I try to be as minimal as possible with my phone use, and I don't trust it with anything money related. I created my master password with pwgen -s, one of 3 strong passwords that I have memorized.
I use a password manager for all my accounts with two exceptions. The password manager login itself and my main email account. For those two accounts I have a strong multi-word passphrase I can remember but that is proven via maths to be extremely difficult to crack (currently anyway) and secure them with TOTP MFA as well.
That way even if my password manager service is hacked and the attacker manages to do the near impossible and decrypt my specific password vault they don't have the two most important passwords. It isn't about giving myself impossible to crack protection but a balance between good enough protection and convenience. I have 714 passwords in my password vault right now. Every single one is unique and 20 characters or longer. There isn't any way on earth I could remember even 5 of them reliably. The only realistic option is to use a tool to help balance that security and convenience.
I think those are both sensible precautions, thanks for sharing.
@@GaryExplains I just figure some form of compartmentalisation makes sense. I can remember _two_ strong passwords for the two most important accounts I have and keep them separated from my PW manager without it inconveniencing me in any way and it protects me if my PW vault is ever stolen and decrypted by some nation state 😂 The hacker can't steal what was never in my vault after all 😉
If you use a password manager, make sure the master password is very secure. 20+ characters, a pass-phrase is best. And make sure you set PBKDF2 iterations at least 100,000 (more is even better, but no extreme numbers otherwise it will slow down decryption of your passwords on your devices)
I do remember years back reissuing and resetting my debit and credit card PINs at the same time. I got the new temporary PINs in the post and they were _consecutive_ four digit numbers.
Good old Keepass 2. This is what our company requires us to use, backed up on our company issued OneDrive, as well Full disk encryption for all drives.
Pick a good password and you can store it on your hard drive, use the sync feature to sync it with a copy on your NAS, Google Drive, OneDrive, etc.
This is such an important subject that it needs a part 2 and poss. Part 3 video, with answers pls.
I agree this is an important subject. Unfortunately it isn't a popular subject as the view count on this video is quite low. If I was to consider a follow-up video, what should it cover?
@@GaryExplains As there are many comments for using Bitwarden and this is open source, a video on the pros and cons or how to configure/use? I have yet to use a PW manager and trusted advise is always welcome.
Bitwarden and 2FA rocks for me. Good show Gary!
I personally use a password generator (lesspass). The concept is simple, I type in my login, the website, and the master password, and the program locally generates a password for these parameters.
No internet connection is required, nothing is stored anywhere.
The obvious compromise of it is that someone can get hold of your master password and generate all the passwords for the websites you use. But I personally think that this is a good point in the middle between the cross-platform convenience and non-relying on third parties.
I store my banking passwords in the notes app on my iPhone, and those notes are locked using face id (iPhone passkey). Is this as safe as a password manager?
I don't use password managers because they are way too finicky for me. But I use two factor authentication methods and strong passwords.
There is no way every account you have ever created has a unique and strong password.
Make a follow up video on how popular pass mangrs. work like bitwarden, lastpass, edge, Chromium, Firefox
Hi Gary, could you recommend a open source password manager with mobile app with zero knowledge at server side?
KeePass and BitWarden are two popular ones.
Vaultwarden allows you to self host a password manager server that works with the bitwarden client programs!
For added security you can implement the double blind method to password managers, let me explain.
The idea of a double blind password is that both you and the password manager don't know the full password, only part of it. Great in case of a data breach.
You have the p/w manager create a strong random password that is the bulk of the password.
when setting a new password you take the manager generated password then at the end you add a 4 digit code (can always be the same numbers as the rest of the password is random) at the end that only you know from memory, this part is never added to the password manager.
If a website has a data breach and passwords are leaked, it looks like a random password and needs to be changed. If the password manager is broken into all the passwords in it are efectivly useless because the 4 digit code added at the end isnt in there.
password manager stores: ChocolateBar
4 digit code you remember: 2971
full password for website: ChocolateBar2971
@O. M. Indeed that is true if the cracker knows that your using the double blind password method and what type of memorized code you use, you could use 4 digit numbers or 4 letters, a mix of the two or use numbers/letters with special characters or something else that will look in place with a randomly generated password, I was just giving an easy example for the explination.
Yes this method isn't that useful when faced with restrictive passwords.
Hi Gary/Commenters, we are testing Keeper at the moment.
Does anyone have experience using it? Would love to get some feedback from you guys!
Does 2FA secure my encrypted password file or just my access to it? Seems like 2FA requires a server in-between, so if the hacker stole the encrypted file then the 2FA won't make it more resistant.
2FA doesn't improve the encryption or security of the passwords stored by the password manager, what it does do is create a second step that means even if the hacker has your password they can't login because they can't pass the 2nd factor. It is like a second lock on a door. You need both things to login.
@@GaryExplains that's how I understood it to work, thanks.
I use BitWarden.
Do not use proprietary password managers that sync to the cloud, they are all targets for hackers and will eventually be breached. Much better to use a local manger. I use the standard pass package from just about any Linux distribution. Very easy to manage myself and it offers very good security in addition to two factor authentication that is usually required for banking sites.
Thank you
I use KeePass. The encrypted database is your own local file, and can be copied anywhere convenient (even on cloud services) because of the strong encryption. The program is free open source, and is constantly updated.
The interface is a bit clunky and you will spend some time with validating all those sites that provide services for everyone, but that does reduce with time. You will need some knowledge (mostly vocabulary) of cryptography, but the help pages are good.
There are third-party browser extensions that will query the password data through the KeePass program. As always, watch where you download from.
Me to, been using for years after watching a hak5 vid
What do you think about Apple’s built in password manager in settings ? They store it on iCloud. I use that for my passwords. It also generates random passwords.
Have heard that length of password is more important than the characters that make it up.
Only use symbols and foreign characters : chinese or japanese symbols.
Yes and no. If you have a long password with just lowercase letters then that reduces the number of permutations and negates the fact that it is long. The best is a long password (12 or more characters) using letters (mixed case), numbers and symbols.
I have one long password for almost everything. Decades and no issues 😃😃
How long approximately? A lot of websites and shit have a character limit and its annoying
I use 2AF on most sites
I realized the background was AI-generated only 5 minutes into the video. Great video btw
OK, so may be this is a stupid question. When you talk about two-factor authentication, how does this help if the website you're visiting in the first place doesn't implement it? Most that I go to only want a password and never use anything else.
You need to activate it specifically, it isn't on by default. All the major websites offer it, but smaller ones don't.
Wasn't mentioned, but password managers (at least for LastPass), can make it easier for you to track the age of a password. It's a good practice to regularly change older passwords. Especially if you receive a breach notice, as in LastPass' case. This renders that data theft useless.
I used to use iphone notes to save passwords, and recently I started to use KeePass but I don’t feel comfortable doing that. I use a combination of a standard phrase and an addition of letters related to the service that I use to make it easy to remember.. I know it is not the best idea but works for me.
Using firefox and built-in password manager. This org has a long positive reputation.
@gary, you didnt actually answer if these are safe as was implied that you were going to do (in the video title)
his title is a yes or no question. and I'm left not knowing whether he thinks yes or no. maybe its was just poor grammer
... just change the title to the one in the videos thumbnail, "How safe are password managers". So its not click bait for those of us that were eager to hear his opinion of the answer to the yes/no question that is the current title
What if you forget the password to your password manager? 😂
Our passwords are encrypted with a master key, but technically, the password manager app can read the master key if it wants and decrypt all our passwords right?
Technically the password manager could be sending all your passwords to a server in China. What exactly are you trying to say?
@@GaryExplains I was just trying to figure out whether it's okay to trust big companies like WhatsApp or Apple who say we can't (not don't) read your data. Because technically they very well can, as they can access our private key.
While technically they can access your key, to to do so they would literally need to bypass their own systems and intentionally act in a malevolent way. Why I say that is because the login systems are designed to be zero knowledge where your actual key/password isn't sent to their servers. The actual tech is quite clever/complex and more than I can describe here in a CZcams comments. But as a very simple (over simply really) example. If the server has a hashed copy of your key/password (but not the actual key/password) then you only need to type in your password and the client can generate the hash and send the hash over to the server. If the hashes match then the passwords match, but the server didn't receive your actual password. The hashes are designed to be impossible to reverse.
@@GaryExplains I can imagine how this works for login authentication etc, but I didn't understand how such a mechanism will allow encrypted communication between two people chatting on WhatsApp, or storing an encrypted backup on iCloud without WhatsApp or Apple having the ability to read it. From what I understand, it seems that the client generates an encryption key which doesn't leave the device and which is used to encrypt chats and backups. The user is acting in good faith that WhatsApp or Apple won't read the key from the client, even though they can do it because the client app's code is completely under their control. It will be great if you can make a video on this which explains this in detail.
Ah, I see. You may find my video on public key cryptography useful: czcams.com/video/rLiEA06Bcic/video.html
As long as the password is long enough it should be fine. Biggest issue is just maybe someone who knows you can guess it like Gary-Explains-is-my-favorite-Y0uTuber (it would be better if it is even longer than this) where total random one won’t be as guess able.
Don't underestimate the power of dictionary attacks. A shorter truly random password is better than a longer text only one with known words.
@@GaryExplains yes of course have other things than words but it will likely be very complicated for most people to remember truly random long password compared to having long sentence with various characters beyond just upper and lowercase letters in it. But maybe dictionary guessing could easily solve the example I have written even with the changed o to a 0, I am not that familiar with those compared to just random brute force with various characters.
@@GaryExplains we have more words than characters. Each word is more entropy than a new character. Entropy is the number of elements available to the power of the number of elements used. As shown in xkcd#936, 10 random characters has only 28 bits of entropy, whereas 4 random English words would have 44 bits depending on how many words you know. For those passphrases you have to remember, words are better than characters.
I use a little black paper notebook ...
Nothing is 100% secure, but password managers are an improvement on memorised passwords.
Assuming you lock down access to the password manager itself with MFA
Ok, know we know that the password of your Twitter account is chocolate bar
😂
@@GaryExplains jokes aside that you for making this piece of content, after the recent backlash due to a famous service being cracked I wanted to see the subject in a bit more detail, thank professor!
Bitdefender is OK unless you have an iPad. That version must be a beta.
The best password managers are physical papers
PostIt notes stuck to the side of my monitor.
Safer than LastPass
@@lexxynubbers Much safer. My post it notes have never been breached unlike LP.
What if it is breached? There is no security from that
Yes there is. The password aren't stored in a plain text file, the passwords are encrypted, and with systems like "zero knowledge" the only person who can unencrypt them is you, via your master password,. Even the staff at the password manager company can't read them.
@@GaryExplains and how do you make sure a release does not introduce a vulnerability? 0 day? Password safety is critical.
So you are asking about the possibility that the password manager extension in the browser is an attack surface?
I use a password manage I coded myself so it’s not worth the hackers time to try and break it.
2FA is a bad idea for your main password manager. What if you lose your phone? You're screwed. Okay you keep one-time login codes. What if you lose your phone, and you don't have access to the codes? It happens. Fire in the middle of the night, car accident and the car is irretrievable, on vacation and your phone gets stolen etc. These are all situations where a one password browser based login to all your shit would be clutch. But if you set up 2FA you are totally F'd. It actually works against you.
That is why a) you store you recovery codes somewhere different b) you have two Yubikeys and one you store again somewhere different.
I'm old school and back up my passwords on a spreadsheet. However, I do not just copy the passwords but use a code to remind me what my password is, like revsecondbikemidfirstdog. Good luck guessing what that translates cause only I would know it.
FYI: Two factor authentication is vital for end sites, but not necessarily the Password manager. If someone get's hold of a copy of your password vault, say from the providers development or backup environment, they can attempt to brute force their way in, to get all your site passwords, using an old, GPU based, crypto mining rig. How long it will take will depend on the algorithm used, key length, and known factors / salts.
Not forgetting most hold a database of your private Master Password Hashes, to allow your account to be recovered by entering an SMS auth code, stored one time password, Auth code, or something else. The hashes will open your vault, without any knowledge of the password itself, and permit you to set a new one.
I saw a technique to increase the safety of password managers in czcams.com/video/boj9q26gadE/video.html by All Things Secured . I use the password manager to store a long convoluted password, but then I add a few additional characters to each important password. For example, if my extra characters are cklt, and my password manager stored 5#aX83Zw2, then my password would be 5#aX83Zw2cklt. I use the same characters for all passwords, so I only have to remember this single extra password. Although reusing passwords is normally bad, all of my passwords still have the normal random characters, so this reuse of a few characters doesn't make the password any less safe. While a few extra characters would be easy to crack if someone does get one of my passwords, the cracker would need to know that I am using this technique. Unless it becomes very common, I am guessing that most crackers would just move on when the initial cracked password doesn't work.
I consider this an additional form of 2 Factor Authentication. I don't use it instead of 2FA, but not all sites have reliable 2FA so this provides some additional protection. It also protects not only against server side breaches, but also against local breaches (e.g. someone accessing your local computer while your password manager is unlocked, or someone accessing a password in your clipboard).
Incidentally, if you use a password manager, turn off any clipboard managers, including those built in to your system. While most password managers support autofill, it doesn't always work, and sometimes you need to cut and paste. Clipboard managers will scarf up those passwords, and may save them for a long time.
Yeah this clipboard thing has me worried
@@rohit31chauhan A couple of additional things about the clipboard.
Samsung android devices have clipboard manager that cannot be turned off. (At least that is true on my Samsung Galaxy tablets; reports are that it is true on Galaxy phones as well.) The clipboard manager will save your clipboard indefinitely (or at least for a long time). If you don't use the Samsung Keyboard (e.g. you use gboard), you cannot even see it, but it is still there, and could potentially be accessed by a malicious program. As far as I know, the only way to even clear it is from the Samsung Keyboard. Really annoying, and there are online complaints about it, but Samsung hasn't done anything. So I try to use autofill and avoid copy and paste with sensitive passwords on my Samsung devices.
Also, not all password managers are created equal as far as autofill is concerned. I used to use LastPass (several years ago; before all the recent security problems), and found that autofill was hit or miss, especially on Android. I switched to BitWarden, and found that it was much more reliable, although not perfect (and you do need to enable all the possible ways of turning on autofill to get this reliability). I haven't use any other password manager, but the lesson is that if autofill doesn't work reliably, try another password manager and it may be better.
I can't recommend anyone any password manager but can recommend everyone not to use microsoft authenticator. it is the worst of all password managers. i have been using it for more than 3 years and also enabled cloud backup but recently i changed my phone and tried to restore all password it says no backup found and i have lost soo many of my accounts & profiles and had to create a new profile for every app with all my data lost.
So highly recommend not to use microsoft authenticator.
Strongbox,Keepassium on iOS,iPadOS,macOS
I recommend using Bitwarden + a hardware key, like Yubico or SoloKey.
Its $10 a year, and is 100% worth it!
I would tell you what I use if i could do it anonymously. I don't feel that a CZcams comment counts.
yes,until you put all your eggs in one basket
Just use the memory palace method to memorize all your passwords
KeePass all the way
I use BITWARDEN on my phone and PC it's also FREE.
I’ve cracked Garry’s password
ChocolateBar123456 😂
🤫
I have a hard time trusting password managers because I just assume they all will get hacked 🤣🤣
I feel the same but seems like there is no choice considering everything requires a password
I use a password manager, but I have nothing against writing passwords down and keeping them in a secure and/or secret place. The only way hackers could get your passwords would be to break into your house and somehow know which book in your bookcase has the piece of paper with your passwords.
@O. M. Go back and look at the first 5 words of my previous reply. I have hundreds of passwords. I only use them on about 3 computers, all in my house. I try not to use my phone very much because it's a bad habit I don't want to fall into, so I type passwords in my phone manually (at home). "On the go," I generally don't have access to my passwords, unless I'm evacuating from a hurricane, and then I'll have a laptop and a memory stick on a keychain with my password file.
Most managers wont give out your passwords even if they get hacked. This is because they dont store your master passwords anywhere(or you'd hope so).
@@jonbikaku6133 since this video I have adopted Bitwarden so I've become part of the password manager crew.
Are Password Managers Safe and Secure? No.
Is anything safe and secure? No. But some things are safer and more secure than other things, and password managers are a big step up from what most people would do without them.
The way I use to avoid storage is to involve SHA256 in the process. For example if I put "MySecretAmazonPassword1" through sha256sum and convert the result to base64, I get XO9x79WoQoLPwLYmKt4OxcMTMcca9stetANC5tx4RrE from which I can take the first 16 characters, XO9x79WoQoLPwLYm and use that as a password for Amazon. Likewise hash "MySecretFacebookPassword1" for facebook. So long as I don't write down the "MySecret" prefix and the "Password" postfix, or what scheme I use to go from Amazon to the hash input, only the Amazon bit in the middle, I can use a lot of my password scheme unmodified for a large number of sites (i.e. only do things different when things are of a financial or sensitive nature, and for that change the "MySecret" prefix to e.g. "MySuperSecret"). That means that, given a GNU or Macos command line, I can easily recreate e.g. my Amazon from memory given the Amazon bit and perhaps a minimal hint as to the prefix (e.g. put the prefix through SHA256->base64 in the same way and note the first three or four characters). So given "Amazon" and "u8o" I can use the command
echo -n "MySecretAmazonPassword" | sha256sum | cut -c1-24 | xxd -r -p | base64
to get my hypothetical Amazon password, and the only issue is visibility of the MySecret bit as I type it in, and possibly keyloggers.
But that's the basic idea, and it requires minimal storage, and storage that, even if an attacker compromises my 'hint sheet', they still have a lot of work to do brute forcing hashes (e.g. find every string that hashes to something beginning with "u8o" still leaves a lot of number crunching, and then a string that does hash to give "u8o" is very unlikely to be the prefix I'm using, but if I mistype a prefix, I'm likely to generate something that begins with something other than "u8o", so this tells me if I've mistyped my secret prefix, but doesn't tell an attacker enough to guess it).
That's the idea. (And the essential mechanism can be duplicated in e.g. Javascript using crypto.js so that I can have a webpage I can use to do similar).
Been using KeepassXC for years and survived all these password fiasco so far… never understood the idea of handing your entire key bundle to a valet for safe keeping..
Personally using KeepassXC with password file synced to my own Nextcloud. 0 reliance on cloud, just the way I like it.
After what happened to LastPass - I've decided to switch to KeePassXC. Better security is one of those things that "cloud computing" promised, but fails to deliver. It just becomes a single point of failure that if breached exposes thousands to millions of customers.
Passwords doesn't have to be unreadable to be strong. "mycarisred" is as strong as "57&#jhtfh". Btw I use Dashlane.
mycarisred would likely get cracked in short time. Dictionary based attacks are very effective. Also if the attacker guesses that you are using lowercase only then that password is just 26^10. According to 1Password brute force attacks cost just $100 for 10 billion guesses.
I just used a password strength checking tool and I was right, mycarisred would fall quickly to a dictionary attack. A brute force attack would take about 2 hours of a system with multiple GPU cards.
Another site claims it would take just 30.84 minutes!!!
@@GaryExplains I also did a check on a website and it reports "mycarisred" will be cracked in 3 days and "MyCarIsRed" in 12 days - a LOT more than 30 minutes. What I would then like to understand is the process of cracking the password: The hacker does not know which characters my password contains. So he can do a dictionary attack with standard dictionary words, but then after that will have to do a brute force attack and assume the password can contain all possible characters. In this case it will only be the length that makes it stronger, not all sorts of funny characters. I once saw an interview with Edward Snowden and he said more or less the same thing IIRC.
@@JohannY2 I have a whole video about cracking passwords: czcams.com/video/EuJpchxir04/video.html
bitwarden for the win
KeePassXC 👍🐧
I like the free Roboform (local only). Have been using it for years.