Today, I’m gonna show you the best way to
get started with password managers and simplify your personal security. When I first started out, it was so overwhelming
trying to remember the login info for everything. I ended up recycling and reusing the same
credentials, which is a HUGE risk, since one compromise could lead to all the of them getting
hacked. But by using a password manager, I can generate unique logins for each account in an encrypted database. Best of all, I now only have to memorize a
single strong password to secure everything! In this video I’m gonna take you step-by-step
in setting up my password manager of choice. We’ll go through generating a strong master
key, the workflow for using it on a daily basis, and cover some options for using password
managers on multiple devices. Stay tuned. My password manager of choice is
KeepassXC. It’s a free and open-source fork of the
original KeePass but under more active development. It works on Windows, Linux, and macOS. Using an offline manager like KeepassXC gives
me full control over the password database, and forces me to access it only on devices
that I own and trust. Now, some of you might wonder if using a password
manager is like putting all your eggs in one basket. Well, the alternative is putting each egg
in many baskets, except when you lose a basket, you still lose all of your eggs. You should treat your password database more
like a bank vault that requires special attention to how you secure it. Unless you can memorize long random passwords
for every single account, you’re probably gonna recycle predictable ones for everything. You might also wonder, why not just use your
web browser to remember your passwords for you? Well, flip that logic around. Why would you wanna use your password manager
to browse the web? Browsers have a long history of storing your
passwords insecurely and are also quite vulnerable to attack, since they’re first to be exposed
to malicious code on websites. The best practice in cyber security is to
separate the roles of your software. Use the web browser for browsing and a password
manager for passwords. With that being said, let me show you how
to get started. So first, let’s navigate to keepassxc dot
org. Click on the download button and select the
right one for your operating system. It’s ALWAYS important to verify the integrity
of the download file whenever possible, to ensure you’re not getting a maliciously
tampered installer. To do this, download the checksum file. For instructions on how to verify the installer,
scroll down and click on the verify link. On Windows, open up Powershell, navigate to
the directory you downloaded it, copy the command and paste it with right click or Shift-Insert. On macOS or Linux, open up a terminal and
do the same thing. The checksum file contains a SHA-256 hash
of the installer. If you wanna verify the integrity AND authenticity
of the file, download KeepassXC’s public key and the installer’s PGP signature. Import the public key, and use GPG to verify
the signature. Verifying authenticity ensures that even if
KeepassXC’s website was hacked to serve a false checksum for a tampered installer,
the attacker would still not be able to create a false signature. He’d have to steal the KeepassXC team’s
private key to do this. We’ll install the application and open it. You should allow the program to check for
updates on startup to ensure you always have the latest security patches.Create a new database
and we'll give it a name and description reflecting the name of the computer you’ll be using
it on. Let’s click on advanced settings to set
the security configuration. For the encryption algorithm, each one of
these choices is excellent. AES, also known as Rijndael, has stood the
test of time under cryptanalysis, and can benefit from hardware acceleration in CPUs
that support the AES-NI instruction set, though it’s less important on small files like
a password database. Twofish was developed by the legendary cryptographer
and technologist, Bruce Schneier. It was a competition finalist to become AES
but Rijndael was chosen because of some speed advantages. I personally use ChaCha20, which is a more
modern encryption algorithm than AES and Twofish. It was developed by another genius cryptographer,
Daniel Bernstein. Google adopted ChaCha20 as the algorithm of
choice for Android devices for storage encryption and TLS encryption to their websites. It’s also used in the latest Linux kernel
to generate random data. We’ll use Argon2 to hash your master password
and benchmark a 1-second delay for your computer. Argon2 is incredibly strong and was the winner
of the Password Hashing Competition in 2015. A hashing algorithm turns your plaintext password
into a unique fixed-length key that can be used for encryption. A one-second delay means it takes the algorithm
one second to generate the hash. If you’re using a password of say, 80-bits
in strength, this means 2 to the 80th seconds or 3.8 quadrillion years for someone brute force
the password on your computer. A two-second delay doubles that. Obviously if your database is stolen and being
attacked on a cluster of specialized hardware, this cracking time goes down significantly. That’s why you need a long, high-entropy
password and can't rely just on a hashing algorithm. Let’s make a strong master key using the
passphrase method. If you’d like to select words using a true
random number generator, grab some dice and a wordlist from the Electronic Frontier Foundation’s
website. There's also a link to it in the description. Suppose we roll the numbers 32362, the first
word in our passphrase would be “glowing”. If pseudorandom is good enough for you, we
can just use KeePassXC's built in generator. The word separator can be empty or any symbol. It doesn't really add much additional strength
to the passphrase; just makes it easier to read. How many words should you use? I personally use a 128-bit master password
to future-proof advances in computing power. This requires ten words. For most people though, you can use seven
words. It gives us ninety bits of entropy, which
is stronger than a fourteen-character random mix. You can slowly work your way up to this by
starting off with just three words as your passphrase. Then over the course of the next month, tack
on a random word each week until you’re there. Write this passphrase down and hide it in
a lockbox somewhere for safekeeping. You never know when you'll forget it one day
for some reason. For your grandmother with poor memory, write
it down for her in a notebook to keep in a purse. When it comes to security, simplicity is usually
the best option. I learned this the hard way having locked
myself out of my data more than once, since I never bothered writing down the passphrase. There’s also additional options of using
a keyfile or Yubikey programmed in Challenge-Response mode as a second-factor to decrypt your database. To do this, just plug it in, and select the
Challenge-Response slot. I recommend using a Yubikey if you have one,
but remember to make a second copy as well, in case you lose the first. If you don't have a Yubikey, you can also
generate a key file to store on a USB stick. Don’t store it on the same device as your
database, since then it’s no longer a two-factor. Backup the key file to another drive, since
if it gets corrupted or deleted, you’ll be locked out of your passwords for good. After all that’s done, save your database to the desktop somewhere. We can create our first entries now. Right-click or press Ctrl-N. We’ll add a title, username, password, and
URL for LastPass. I like using something ridiculously long from
the extended ASCII character set if I can. Some websites limit you to twenty or thirty
characters or restrict the symbols you can use. In these cases you’ll have to adjust the
generated password accordingly. Some sites may truncate passwords that are
too long without telling you the length limit. Your generated password won’t work in this
case, and you’ll have to password reset and adjust to a shorter one. The notes section is useful for recording
information like backup codes, PINs, and security questions. By the way, for security questions, I also
recommend you generate a short two or three word passphrase instead of using something
like your mother’s real maiden name. This prevents attackers from researching you
on the Internet and making educated guesses to recover your account. I’ll download a favicon for the entry to
make it easier to identify. If that fails, you can manually download an
ICO favicon by going to the website’s home and inspecting the page. Then download and add it as a custom one. The history section lets me review any past
changes. So if you generate a new password for an existing
entry, the old one will show up here. In the folder tree on the left, we can create
groups to organize your password entries. I have hundreds of entries in my database,
so making groups is quite useful. If you like searching for entries by text,
hit Ctrl-F to search for title, username, or notes. Let’s run through the settings now by clicking
on the wrench icon. I like to keep the defaults of start only
one instance of KeePassXC, remember previously used databases, check for updates once a week... In Auto-Type settings, you can set a keyboard
shortcut to automatically fill in fields based on the URL and title of the password entry. I think the default is Ctrl-Shift-V, so we’ll
set it here. Under security, you can set how long to wait
before your password manager auto-locks or clears the clipboard after copying a password. I typically leave the convenience section
as default, except for “don’t hide passwords when editing and don’t require password
repeat when it's visible. Browser integration is a feature that auto-fills
password fields for you whenever your database is unlocked. The browser extension connects to your active
KeepassXC instance to see if there's any entries that match the URL or title of the web page
you’re on. For this to work, you need to enable the integration
and install the browser plugin. Click OK and restart KeepassXC. Go to the extension and connect it to your
password manager. Then when I go to a login or registration
page, fields can populate automatically. Keeshare is a feature that lets you export
a group of passwords to share with somebody else using KeepassXC. You can enable it for import or export and
generate a signing certificate if you want. The signing certificate lets the receiver
verify that the shared passwords came from you and weren’t tampered with. When you click edit on a password group and
go to Keeshare, you can export it to a container file, encrypted with a password. If you’re trying to share a password group
with multiple people, use the synchronize option and set the path to a file sitting
on a shared network drive. Now that you’re familiar with the program, let’s talk daily
workflow with a password manager. For each of your existing accounts, create
a new entry And populate it with a newly generated password. Then log in to the account and change it to
this password. Whenever you sign up for something new start by creating the credentials in your manager first. Remember to ALWAYS make regular backups of
your password database to multiple locations, whether it's daily or weekly. If your database file gets lost or corrupted,
it can be REALLY hard to recover everything. For using a password manager on mobile devices,
there’s apps like KeepassDX for Android or StrongBox for iOS that can import your
database file. If managing an offline password database is
too much effort for you, consider trying and paying for one of the many online options
like 1Password, LastPass, Dashlane, or Bitwarden. These companies provide apps that sync the
database between all of your devices and make it quite convenient to use. I personally don’t
use cloud-based password managers for two reasons: First, the impact of a major compromise
or service shutdown is too risky for me, even if the odds are low. LastPass has suffered some minor data breaches
in the past, for example, but what if they were major? As centralized sources for people’s passwords,
these companies are prime targets for criminals to attack. Second, history has shown that encryption
only buys you a certain amount of time until we find ways to break the algorithm. Having sole, offline custody of my data mitigates
this risk. With that being said, if the convenience of
cloud-based password managers is more important than any extreme security concerns, by ALL
means USE them! It’s much better than nothing at all. One last thing you should know about password
managers is that they’re vulnerable to malware installed on your computer, which can keylog
your master password as you type it in, take screen recordings, or copy your clipboard. If the malware acquires the privileges to
access your memory, it can simply extract the decryption key and upload your database
without key logging at all. Now all of these things apply even if you
don't use a password manager. So make sure you're practicing the best security
hygiene and consider using virtual machines. But we'll save that for another time. So that's it for password managers and how
to get started. If you learned something new from this tutorial,
give it a thumbs up, share it with your friends, and subscribe now. Thanks for tuning in, and I’ll leave you
with a parting question: what type of password manager do you prefer, online or offline? Let me know why in the comments below. See you soon!
