Most Secure Password Management Explained - Go Incognito 3. 4 - Techlore
video description
Date: 2022-04-15
Related videos
Comments and reviews: 10
dragonatorul
You're doing great work with this series, but I have multiple issues with the advice you give in this particular video.
1. The method of generating -secure- passwords you recommended has several major flaws:
a. It is too complicated for most people to bother with and will lead to complacent behavior like replacing just a few letters (which is easy to brute force) or using just one -secure- password everywhere.
b. The passwords are not easy to remember by the user, but easy to crack by an attacker. Even if you use leetspeak the best source of entropy in a password is length. In short the longer the password the better. That's why I don't agree with your advice to not use words. In fact you should use words, lots of them. A password of at least 3 words, better if they're from different languages, with special characters as separators will be more secure than a one word password with leetspeak simply because it will be roughly 3 times the size. The more words you use the harder dictionary attacks get, exponentially in fact. This has the added benefit that random words create interesting patterns in our brain which makes them easier to remember.
2. Cloud based password managers are not necessarily bad, or worse than local solutions like keepass. In fact I'd argue that your recommendation is much more insecure than a cloud based solution. First of all, if you actually read the details of the attacks on LastPass you'd have observed that no actionable information was lost, and that the company acted swiftly and transparently to secure their systems and notify affected users. Not only that, but they have a track record of swiftly responding (within hours, which is practically unheard of in general) to researcher reports of potential security issues, and have an active bug bounty program. These are the kinds of things to look for in any software, but especially password managers.
Open source does not necessarily mean more secure. It takes money to maintain a bug bounty program so often without government involvement (such as in the case of VLC) or without the software being adopted by a big company (like AWS) there is much less incentive for researchers to bother poking at it. Even if they do, if an open source software is not actively maintained or if the maintainers are not easy to interact with or fast to respond, even if someone does finds a bug it can sometimes take months to be fixed. Even if bugs are being fixed, if there isn't an easy, secure and reliable way to push out updates to all instances of that software it will most likely not be updated by the users, which are more and more expecting software to just update itself these days.
In the case of keepass you also have to deal with multiple different versions for different platforms, or multiple plug-ins, all of which are developed and maintained in separate projects by separate people and held to separate standards. A security flaw in one of them can affect the entire system. But the biggest issue with keepass, and the way you recommend it be used specifically, is that it is just a file. Even if it is encrypted, that encryption is based on the password used by the user. If you upload the file to dropbox, and someone gains access to your dropbox account the first thing they'll try is the password used for the dropbox account. If that doesn't work they can just setup a brute force attack on the file and hit it all day long for as long as they want. If they're smart and dedicated enough they can do it in parallel on multiple machines and keep at it with thousands or millions of tries every second for as long as it takes to crack it open. There are some mitigations against this, but you did not mention them. This is not a problem in cloud based solutions because they will (hopefully) be able to detect and stop brute force attempts, notify you of any breach attempts, and you can use MFA as an extra layer of protection (which you never even mentioned once in this video.
I could go on, but frankly after all this typing I'm just too disappointed in the contents of this video to bother. I hope you revisit your research on this and take another shot at this video in the near future.
reply
You're doing great work with this series, but I have multiple issues with the advice you give in this particular video.
1. The method of generating -secure- passwords you recommended has several major flaws:
a. It is too complicated for most people to bother with and will lead to complacent behavior like replacing just a few letters (which is easy to brute force) or using just one -secure- password everywhere.
b. The passwords are not easy to remember by the user, but easy to crack by an attacker. Even if you use leetspeak the best source of entropy in a password is length. In short the longer the password the better. That's why I don't agree with your advice to not use words. In fact you should use words, lots of them. A password of at least 3 words, better if they're from different languages, with special characters as separators will be more secure than a one word password with leetspeak simply because it will be roughly 3 times the size. The more words you use the harder dictionary attacks get, exponentially in fact. This has the added benefit that random words create interesting patterns in our brain which makes them easier to remember.
2. Cloud based password managers are not necessarily bad, or worse than local solutions like keepass. In fact I'd argue that your recommendation is much more insecure than a cloud based solution. First of all, if you actually read the details of the attacks on LastPass you'd have observed that no actionable information was lost, and that the company acted swiftly and transparently to secure their systems and notify affected users. Not only that, but they have a track record of swiftly responding (within hours, which is practically unheard of in general) to researcher reports of potential security issues, and have an active bug bounty program. These are the kinds of things to look for in any software, but especially password managers.
Open source does not necessarily mean more secure. It takes money to maintain a bug bounty program so often without government involvement (such as in the case of VLC) or without the software being adopted by a big company (like AWS) there is much less incentive for researchers to bother poking at it. Even if they do, if an open source software is not actively maintained or if the maintainers are not easy to interact with or fast to respond, even if someone does finds a bug it can sometimes take months to be fixed. Even if bugs are being fixed, if there isn't an easy, secure and reliable way to push out updates to all instances of that software it will most likely not be updated by the users, which are more and more expecting software to just update itself these days.
In the case of keepass you also have to deal with multiple different versions for different platforms, or multiple plug-ins, all of which are developed and maintained in separate projects by separate people and held to separate standards. A security flaw in one of them can affect the entire system. But the biggest issue with keepass, and the way you recommend it be used specifically, is that it is just a file. Even if it is encrypted, that encryption is based on the password used by the user. If you upload the file to dropbox, and someone gains access to your dropbox account the first thing they'll try is the password used for the dropbox account. If that doesn't work they can just setup a brute force attack on the file and hit it all day long for as long as they want. If they're smart and dedicated enough they can do it in parallel on multiple machines and keep at it with thousands or millions of tries every second for as long as it takes to crack it open. There are some mitigations against this, but you did not mention them. This is not a problem in cloud based solutions because they will (hopefully) be able to detect and stop brute force attempts, notify you of any breach attempts, and you can use MFA as an extra layer of protection (which you never even mentioned once in this video.
I could go on, but frankly after all this typing I'm just too disappointed in the contents of this video to bother. I hope you revisit your research on this and take another shot at this video in the near future.
reply
skaruts
I like the idea of Master Password, but I think it has a few potential weaknesses.
- maximum password length is 20 characters
- the app comes with passwords visible by default, which is sloppy imo, and even if you turn that off, it will show the password when you click _-set/save personal password/login-, _ making it susceptible to keyloggers that screenshot your actions.
- if you need to renew a password, you have to raise the password counter. I'm not sure if this is a problem, but if your user settings are stored locally, then you'll have to remember that counter for each site when accessing from elsewhere, which is quite hard. Or if you lose your user settings, then you lose those passwords. Not a big issue but.
An observation, they state on their website that _-Most browsers will then ask you to -save- the site's password. If you're comfortable with that, it's a good way of skipping the above steps and logging in even faster next time. -_
A sloppy suggestion, on their part?
reply
I like the idea of Master Password, but I think it has a few potential weaknesses.
- maximum password length is 20 characters
- the app comes with passwords visible by default, which is sloppy imo, and even if you turn that off, it will show the password when you click _-set/save personal password/login-, _ making it susceptible to keyloggers that screenshot your actions.
- if you need to renew a password, you have to raise the password counter. I'm not sure if this is a problem, but if your user settings are stored locally, then you'll have to remember that counter for each site when accessing from elsewhere, which is quite hard. Or if you lose your user settings, then you lose those passwords. Not a big issue but.
An observation, they state on their website that _-Most browsers will then ask you to -save- the site's password. If you're comfortable with that, it's a good way of skipping the above steps and logging in even faster next time. -_
A sloppy suggestion, on their part?
reply
Mbeluba
I really don't agree with the password manager database compartmentalisation.
Just tell people -use biwtarden, don't reuse passwords, use otp 2fa-
Being able to do this basic thing will enable people to continue with other compartmantilsed privacy things and free up mental energy.
Giving that 1 minute long info in the beggining and only after that adding the additional information (the additional upending phrase is genius, although I don't think 99% of people would benefit in any way from it)
reply
I really don't agree with the password manager database compartmentalisation.
Just tell people -use biwtarden, don't reuse passwords, use otp 2fa-
Being able to do this basic thing will enable people to continue with other compartmantilsed privacy things and free up mental energy.
Giving that 1 minute long info in the beggining and only after that adding the additional information (the additional upending phrase is genius, although I don't think 99% of people would benefit in any way from it)
reply
wildmanjeff42
great video, wish I had seen it 10 years ago, but I have been using KeepassXC with keyfile and 15 digit password for about 2 years now. very easy and I feel safe keeping up with my own passwords (backup thumbdrive and older dv versions stored on my personal Truenas encrypted storage)
thanks for your time making Incognito videos -- I have learned a lot from them!
reply
great video, wish I had seen it 10 years ago, but I have been using KeepassXC with keyfile and 15 digit password for about 2 years now. very easy and I feel safe keeping up with my own passwords (backup thumbdrive and older dv versions stored on my personal Truenas encrypted storage)
thanks for your time making Incognito videos -- I have learned a lot from them!
reply
Prog47
My home was recently broken into but fortunately they didn't take any electronics because they know the police can track them. Since then I started looking for solutions to protect my data since I can think of nothing worse than a stranger having access to my laptop.
I'm going to encrypt my pc with veracrypt and require a bios password for new drives
reply
My home was recently broken into but fortunately they didn't take any electronics because they know the police can track them. Since then I started looking for solutions to protect my data since I can think of nothing worse than a stranger having access to my laptop.
I'm going to encrypt my pc with veracrypt and require a bios password for new drives
reply
Daniel
I'm thinking of making my own password manager that syncs only with Bluetooth and stores data locally in encrypted form with a unique key for each device. So if you need to sync, you'll need to bring your devices physically closer. Sure it is less convenient, but I'd take that over ANY cloud service any day.
reply
I'm thinking of making my own password manager that syncs only with Bluetooth and stores data locally in encrypted form with a unique key for each device. So if you need to sync, you'll need to bring your devices physically closer. Sure it is less convenient, but I'd take that over ANY cloud service any day.
reply
Inter
Keepass is good but if you are on a unix based OS like linux or mac you can use Pass the standard unix password manager which uses a your own gpg keys to encrypt your passwords and store them locally on your machine and there are quite a bit of syncing adons for it too.
reply
Keepass is good but if you are on a unix based OS like linux or mac you can use Pass the standard unix password manager which uses a your own gpg keys to encrypt your passwords and store them locally on your machine and there are quite a bit of syncing adons for it too.
reply
Jay
I disabled the ALP on my first cell phone because it didn't work most of the time. Maybe the screen wasn't sensitive enough or it was dirty, but I got tired of it locking me out when I kept entering the correct pattern but the phone repeatedly didn't recognize it.
reply
I disabled the ALP on my first cell phone because it didn't work most of the time. Maybe the screen wasn't sensitive enough or it was dirty, but I got tired of it locking me out when I kept entering the correct pattern but the phone repeatedly didn't recognize it.
reply
The
It is better to have a long password (longest you can) with dictionary terms than the thing you suggested here, if you want I do recommend the last NIST guidelines on passwords, suggestions on 3: 20 are outdated becouse are too easy to forget.
reply
It is better to have a long password (longest you can) with dictionary terms than the thing you suggested here, if you want I do recommend the last NIST guidelines on passwords, suggestions on 3: 20 are outdated becouse are too easy to forget.
reply
Franklin
Very valuable info, thankyou! I try hard to be safe online, but you mentioned weaknesses about which I had no idea. With 1password going to subscription only, having total off-line control of passwords is getting more difficult.
reply
Very valuable info, thankyou! I try hard to be safe online, but you mentioned weaknesses about which I had no idea. With 1password going to subscription only, having total off-line control of passwords is getting more difficult.
reply
Add a review, comment
Other channel videos
