Most PRIVATE Password Manager

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
How secure are password managers? A major password manager has been hacked for  the second time in three months. LastPass   says it detected unusual activity in  a third-party cloud storage service Password managers are software for storing  a digital list of your passwords securely,   in what’s called a password vault. Putting all your passwords into a single list and   trusting software to secure it might  be a scary prospect for many people. What if it gets hacked? They’ll get  access to EVERY important account of mine! Using a password manager is actually one  of THE MOST IMPORTANT things you can do   to SAFEGUARD your digital life. In this video  we’ll explain why computer security experts   almost unanimously swear by them, and how  to keep your password vault super secure. It’s also really important that  you choose a good password manager,   and they’re not all created equally. So we’ll also compare 5 popular password managers  to see how they stack up against each other,   so that you can find one that best suits  your needs. We’ll give options that will   suit most people, but also look at options  for those who have higher security needs. Let’s recap why password managers are an  essential part of your privacy toolbox: Your passwords need to be way  stronger than you probably realize,   and without a password manager this  would be completely unfeasible. First, you may not realize how trivial  it is to brute force passwords.  Most people’s passwords are way too simple,   and can be cracked immediately. Even longer  ones sometimes just take a few minutes. As a general rule, the longer your password,  the harder it is to crack. Your password   should be longer than 16 characters.  That’s a lot of characters to remember,   so a password manager will remember it for you. Next, every password you use needs to  be unique, meaning that you don’t reuse   it on multiple accounts. This is because  account passwords are leaked all the time. 3.2 billion email and password combos  have been posted to the dark web, It is likely that your login details for various  accounts are already available on the darkweb. If an attacker obtains the password for  one of your accounts, they will then try   it on others. Even if you slightly modify  your passwords for different websites,   it’s still easier for a hacker to get into  your account than if you’d used a completely   unique password. You’re not going to  be able to remember hundreds of long,   unique passwords for every account, so again,  a password manager will remember them for you. Finally, your passwords also need  to be randomly generated. This is   important. When passwords are leaked,  they’re not usually in plain text. It’s a terrible security practice for a  company to store your password in plain text,   so most reasonable companies will store a  “hashed” version of your password instead.   Basically they have some mathematical function  that they plug your original password into,   that spits out a scrambled version  of that password called a hash. The website doesn’t need to know your  original password, they only store the hash,   and whenever you enter your password it will  perform this mathematical function on it,   and see if the hash value that’s outputted  matches the hashed value that they have stored. One important characteristic of these hash  functions is that they’re one-way operations,   meaning that it is easy to put in your password  and generate a hash value from it, but if you only   have the hash value, it’s incredibly difficult  to recreate the original password from it. And changing one tiny detail  of the original password spits   out a completely different hash output. If a hacker got access to just a  hash value, it wouldn’t help them,   because they need the original password to access   an account. And it’s incredibly difficult to  recreate the original password from a hash. But hackers being hackers find sneaky workarounds. They started creating entire databases  of common passwords, and have precomputed   what the hashed value of these passwords would be  according to the most popular hashing algorithms. These databases are called “rainbow tables”.  Now if a hacker gets access to someone’s  hashed password, they can search in their   database for that value, and see what  the corresponding original password is. So you don’t want to use common words  for your password that might make it   into such a database. Instead you  want a string of random digits. One of the uses of Password  managers is they generate   random passwords for you with the click  of a button, and then save it for you.  Having a long, random, unique password for every  account, that you never reuse on other accounts,   is one of the most effective ways to protect  your online accounts from being hacked. And password managers make this far  easier. They’re actually an amazing tool,   a unicorn in the security world, because  almost every single thing that you do to make   yourself more secure will also make your life more  inconvenient. Password managers are an exception:   they will simultaneously make you more secure  and also make your life easier. You only need   to remember a single master password  to access all of your stored passwords. Now let’s address the elephant in the room.  What if someone gets access  to your master password? First step is to you have to make sure  that master password is REALLY strong,   so that it can’t be bruteforced.  Remember our password rules: Your master password to your vault  must be long, unique, and random I recommend using a passphrase to secure  your vault, because a string of words is   easier to memorize than a string of digits.  But you must choose these words randomly. A good way to randomly choose words is to use a  word list like the one EFF has on their website,   where you roll dice and the numbers  correspond to different words. You need at least 6 words from a list like  this, and that will have 77 bits of entropy. "Bits of entropy" is a common metric for measuring  the strength of a password or passphrase. Adding one bit of entropy doubles  the number of guesses required,   which makes it twice as difficult to brute force. 6 words is long enough to take  thousands of years, maybe more,   for current password cracking software to break. Following these password rules is ESSENTIAL  for securing your password vault, but it’s   not sufficient. If someone puts a keylogger on  your computer, they can steal that password. So you must also secure your password  vault with two-factor authentication. We have videos explaining 2fa if you want to dive  into details, but the tldr is that a security key   like a yubikey is the most secure form of 2fa. With this 2nd layer of protection, even if someone gets access to the master password  for your vault, they won’t be able to access any   of the passwords saved in it, they will also need  to have physical access to your security key. With these steps, your password  manager will be very secure and   you will dramatically improve the security  of your entire digital life. There are also   ways to use your password manager  that can make it even more secure   if you have a higher threat model, and  we’ll go over those later in the video. So what should you look for when  choosing a password manager? Most of the well-known password managers are  going to be fine for the average person. But,   like all software, there is a fair amount  of trust that you need to place in them. You can mitigate some of this trust by  using a service that has publicly available,   3rd-party audits, and that  is ideally open sourced. For the more popular password managers,   you can also look at whether or not  they’ve had security breaches in the past. Another thing to consider is whether you  want an online or an offline manager.  Offline password managers store all of your  passwords locally on your computer or device,   which is helpful if you’re concerned about  the security of storing your passwords online. However online password  managers are more convenient,   and allow you to access your  passwords from multiple devices, and safely share certain  passwords with other people. I think an online manager is  perfectly fine for most people. A good password manager will claim ‘zero  knowledge’, meaning that passwords are   encrypted on a user’s own device before  being sent to a platform’s server.  This way the password manager  service can’t access your passwords.  Nor can any hackers who might  compromise that company’s servers. But it’s worth mentioning some of the risks  of online managers so that you can decide   for yourself your own comfort level. For  example some password managers may have   good intentions but not have the necessary  expertise to keep your passwords safe. In 2019, Blur, a password manager, left a file  openly accessible on one of its servers that   contained the names, emails, password hints  and IP addresses of 2.4 million accounts. I wouldn’t trust a password  manager to secure my passwords   if they have a history of such security breaches. There’s also a risk that if an online password  manager is compromised in some way, it could be   possible for a hacker to serve you malicious  versions of their software through the web. Online managers that store people’s  encrypted password vault for them   also present a very tempting target for hackers. Even if the hacker doesn’t get your login details, other information like your login email  and password reminders can be leaked. If you’re concerned about these risks, an offline  password manager might be a better choice for you,   and we’ll go over some options. But  I maintain that an online manager   is a great choice for most people,  provided you choose a good service. So let’s look at some of the most  popular services, starting with LastPass. They have over 30 million users worldwide,   and all the bells and whistles you would  expect from a premium password manager. But despite its popularity, Lastpass  is very hard to recommend. They have   suffered data breaches and multiple  severe security vulnerabilities. In 2015, email addresses, password reminders,   and authentication hashes of  LastPass users were compromised. There was also a string of discovered  vulnerabilities from 2016 to 2019. To Lastpass’s credit, being one of the  largest password managers does make   them a huge target, and all disclosed  vulnerabilities were promptly patched. Then in 2022 Lastpass was hacked again. Digital  storage keys were stolen from a LastPass employee,   allowing a hacker to gain access  to private customer information. They accessed the history of web-addresses the  users visited, email addresses, phone numbers,   names, and billing information, and they  also copied customers’ entire Password vault. Keep in mind that these vaults are  encrypted, meaning that hackers   are unable to access any data in the vaults,  and that includes the name and notes fields. If you had a strong master password on your vault,   it would take a hacker millions of years to  crack it and access your list of passwords. But anyone who had a weaker password  on their vault should be concerned.   Changing your master password now  to make it super strong won’t help,   because the old master password is the one  tied to the hacker’s copy of your vault. If you feel like you had a weak master password, you should go ahead and change every password   inside this vault, starting with the critical  ones like email accounts and financial accounts. These multiple security breaches lead me  to not want to recommend LastPass to users. On top of that, their code is closed source, and  while the company claims to do regular security   audits, these reports are not available publicly  unless you sign a non disclosure agreement. Their Android mobile app also contains a lot of   embedded trackers that send  personal details including the device being used, the mobile  operator, and the type of password   being saved. LastPass claims that no  personally identifiable data nor vault   data is sent and that they only use  this data to improve their service. But according to a report from  security researcher Mike Kuketz, some of this data appears to go to  marketing companies such as Segment. This sharing can be opted out of,   but I don’t particularly like the idea of  my password manager sharing data about me. Next let’s look at Bitwarden. It’s free, fully open source,   and rich in features. I highly  recommend this password manager. It’s easy to use, and also has various  security levels depending on your threat   model. You can use it normally as  a desktop app, browser extension, and mobile app and sync it across multiple devices, or you could also choose to self-host  your own Bitwarden server, giving you   full control of your data with all  the conveniences of online usage. There are free and paid tiers for this password   manager. I highly recommend you pay –  a good password manager is worth it, and this will allow you to protect your  account with a security key 2fa option. Bitwarden also has audits of its code  that are freely available and transparent. Bitwarden does have trackers in their apps,  but because Bitwarden is open source you can   actually analyze whether they’re being  used for the things Bitwarden says they   are. Bitwarden uses Google’s Firebase  to send push notifications to help keep   your vaults synced up, and Microsoft  Visual Studio for crash reporting. Having reliable syncs across  devices seems like a good tradeoff,   and providing feedback when  crashes happen may be worth it, but at the very least  Bitwarden discloses this fully. But If you don’t like it, you can always opt-out or download the  F-Droid version which disables both. For most people, Bitwarden has  a good balance of convenience,   offering a great out of the box experience  with minimal configuration required,   while also giving users the option to take  full control of their data if they’d prefer. Next let’s look at Dashlane, another  popular option with an impressive user   base of about 15 million people. They too offer a polished   experience with some great features. It is closed source, and while they   claim to do regular security audits, copies of  these reports are not available to the public.   But on a positive note, there have been  no recorded security breaches of Dashlane.  I like Dashlane, but they recently  stopped offering a desktop app version, which means it’s only available as a browser extension now for  computers, and a mobile app for phones. There are free and paid tiers. A unique feature of Dashlane is that it  utilizes machine learning to accurately   do auto-fills across a wide variety of websites. However we actually recommend you disable  autofill functionality for any password   manager you use, because it  can present security risks. Another cool feature unique to Dashlane is the  ability to change your key derivation function.   You don’t really need to understand  what this means, and for most people, the default choice of Argon2d is fine. Perhaps the best feature of  Dashlane is its ability to   bulk change passwords for many supported sites, meaning that you can change your  passwords for any of the supported   sites all at once with the click  of a button, and auto save them. It’s worth noting that Dashlane too has also  been found to have trackers in their apps. Dashlane uses Sentry to track crashes and  Braze to communicate with their customers. It’s worth making a distinction between third   party services that don’t really track  you and provide useful functionality, compared to actual trackers. Although sometimes  it can be hard to tell the difference. In Dashlane’s case, it’s a mixed bag. On the one  hand we can understand trackers that help report   crashes and relevant information that would help  the developers improve their product and fix bugs.   Notifications of updates or renewal plans are  also helpful. On the other hand, paid marketing   attribution and usage details start going into the  territory of more information than required for a   password manager even though it’s considered  part of improving the ‘customer experience’. In general Dashlane will be an  acceptable option for most people,   but there are probably better options. 1password is another established  player in the password manager space  that also has over 15 million users. They were recently in the news having  raised 620 million dollars with some   celebrity investors such as Ryan Reynolds,  Justin Timberlake and Robert Downey Jr.  How many of you have heard of 1password.com While 1password is also closed source, they are  much more transparent with their 3rd-party audits,   and all the unedited reports are  freely available on their website: They have many good features like multi factor authentication, password strength reports, and secure password sharing. Vulnerabilities found in 1password  have been quickly remedied and   there have been no known data breaches. There is no free option with 1password,   but they do give you a 14 day  free trial before you commit. One thing that we found unique with 1password is  its Travel Mode which allows you to delete your   stored passwords temporarily when you’re in other  countries or crossing borders. These passwords   are completely removed from the local storage  in your device as long as Travel Mode is on. Immigration or border police in many  countries can require you to unlock   your device so that they can search it, so  this option can be handy. It’s also useful   for businesses who may want to control  which secrets employees travel with. 1password is also one of the few password  managers that do not use trackers in their   Android app even for crash reporting  or syncing according to Exodus privacy. From what we’ve seen from its  customer interactions in forums,   responsiveness to vulnerabilities,   and also its transparency, 1password seems  like a high quality option for most people. Now let’s talk about keepassxc. It’s a free and open-source password manager that’s highly recommended by many people in the privacy  and security community, particularly as an offline password manager.  It’s more technically complex though. Being an offline manager, it stores  your password database locally on   your device and does not rely on  any external servers or services   to function. All of the password  management features of KeepassXC,   including storing, generating, and retrieving  passwords, are performed on your device. One of the advantages of using an offline  password manager like KeepassXC is that   it can provide an additional layer of  security because the password database is   not transmitted over the internet, so it is less  vulnerable to online attacks or data breaches. Not being reliant on any 3rd party to serve you  code can really boost your security and privacy,   and we recommend this as an offline  tool if you have a higher threat model. KeePassXC does have extensions for browser  integration for Chrome, Brave, Edge and Firefox   so that you can easily fill in passwords  from your vault to your favorite websites. Generally you’ll want to use Keepassxc if you plan  to use your vault entirely offline for increased   security. It’s great for higher risk people  such as political dissidents or journalists   who may be forced to open their vaults. You are  making things more complicated for yourself by   using a password manager completely offline,  especially if you want to use the manager with   multiple devices, but this tradeoff will  absolutely be worth it for some people. Keepassxc does offer the option to synchronize  your password database across multiple devices   using cloud storage services like  Dropbox or Nextcloud. All that needs   to be done is to save your KeepassXC  database inside your cloud folder. This is not as seamless as using an online  password manager. There are some quirks,   for example if you have several devices  accessing the database at the same time,   syncing conflicts can arise. You must be careful   to properly log off your vaults when  you’re not using it on the device. KeePassXC hasn’t been audited yet,   because it’s a community driven project,  and audits come at a considerable price. But the code is all open source, which  is helpful for community-driven audits. One thing to note, there are a couple of other  open source password managers with similar names: KeepassXC started as a fork of Keepassx, which  itself is a cross-platform port of keepass.   They are separate products though with different  features, and keepassxc is what we’re focusing on. If you want to use a service online you  might be better off going with one of the   previously mentioned online managers like  Bitwarden, but if you are looking for a   password manager with the highest security,  and you don’t mind added inconvenience,   using keepassxc entirely offline is a great  option, especially if your threat model is higher. Another kind of password manager that is important   to mention is a browser’s  inbuilt password manager. They’re free, convenient, and most modern browsers have a way to keep  them synced across devices via the cloud. Some experts say that these are insecure,  while other experts say that for most people,   these are more secure than  standalone password managers.  Let’s start by talking about what they all  agree on: that using a password manager,   whether in your browser or a standalone  app, is better than not using one at all! But There are a couple of reasons why I wouldn’t   recommend you use the password  manager inbuilt to your browser. Most browsers will store your passwords  in a database on your computer and they   rely on the device’s own OS security to  keep them safe. But the issue is that if   the computer is already logged in, these  databases are unencrypted and unlocked. Some browsers such as Firefox and Safari provide  ways to additionally encrypt them, For example,   Firefox allows you to set a master password  for them, but this is not prompted by default. Safari’s approach is better by  saving it in Apple’s keychain,   and they prompt you to unlock  it when requesting a password. Any respectable standalone password manager,   by comparison, will store your  passwords in an encrypted vault. Privacy experts like Michael Bazzel don’t  ever recommend using your browser’s inbuilt   password manager, because if you get  hit with a virus that has a stealer log,   hackers will be able to  grab all of your passwords. On the other side of the fence are people like  Tavis Ormandy, from Google’s Project Zero team,   who advocates FOR inbuilt  browser password managers,   because standalone password managers often  rely on browser extensions and these can   introduce vulnerabilities, whereas browsers  can isolate their trusted UI from websites. I agree that extensions do have vulnerabilities  that people should absolutely be aware of,   but I think that for the average person,  a browser extension password manager from   a reputable company is low risk and a good  idea. If you’re not comfortable with that,   I don’t think that your browser’s inbuilt  password manager is your solution, because   stealer logs are a really serious concern. Instead, if you have a higher threat model,   I’d recommend you using something like  keepassxc entirely offline in a desktop app,   and just copying and pasting your passwords. In general, using a password manager can  dramatically help you improve the security   of your online accounts and make it easier to  manage your login information. Some passwords   managers are more secure than others, but the  biggest risk to the average person is reusing   passwords across websites. While there are  fringe vulnerabilities with password managers,   if you choose a well-regarded one, and you  make sure you secure it with a really strong   password and 2 factor authentication, you’re  going to really help your digital privacy   and security. It’s an essential step in your  privacy journey that you should start today. NBTV is funded by community support. If  you’d like to help us keep making free,   educational content visit NBTV.media/support.  Also just liking, sharing, subscribing,   and commenting on our content really helps.  Thanks so much for watching through to the end!
Info
Channel: Naomi Brockwell TV
Views: 245,067
Rating: undefined out of 5
Keywords: naomi, brockwell, bitcoin, cryptocurrency, Fiat, Bitcoingirl.org, btc, monetary, policy, currency, Bitcoin, Girl, crypto, blockchain, privacy, surveillance, naomi brockwell, nbtv, tech, nbtv.media, naomi privacy tips, passwords, password manager, lastpass, dashlane, keepassxc, 1password, bitwarden, vault, security
Id: 69AQruBI2nY
Channel Id: undefined
Length: 22min 22sec (1342 seconds)
Published: Sat Jan 21 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.