Things I love about this…hearing Kathy Zant’s voice….trusting that Kathy knows what she is talking about, after all she was the one in the late 90’s who sent me an email to try a new search engine called Google….the tutorial and walk through of the security….having this explained in layman’s terms…I guess I just like it all.

I jumped ship from Lastpass to Nordpass Premium a few weeks ago, and it's taken me that long to change every password within my vault over a few hours per day. I also took the plunge and have two Yubikey5 (NFC) keys which are now used as 2FA wherever I can - the only problem is remembering to take a Yubikey with me as I don't generally use a keyring/keyfob. Maybe Passkeys might be a way ahead after all, it's usually the human element that is the weakest link with regards to data breaches. Thanks for the content. 🙂

@KathyZant

Жыл бұрын

I feel your pain. I am looking forward to putting passwords behind me completely. Thanks for watching!

On a phone a Passkey is protected by the secure enclave. It's a similar story for a Yubikey. What hardware protection does NordPass provide? If the goal is to use Passkeys, NordPass is an odd place to store them as the Passkeys would be easily accessible to malware. You also recommended not keeping 2FA codes inside a password manager to keep it separate in case the vault is exposed. Why is Passkey storage in NordPass a feature you're excited to see?

@KathyZant

Жыл бұрын

For some of the logins I have, I will need passkeys for separate devices. For example, I have a few websites that I need to access from multiple computers. Storing that passkey in a pw manager like NordPass offers that flexibility. As always, security is a continuum and not all solutions apply to all applications. There are some times where you need to account for ease of access rather than full security. If I applied full 100% security to everything, all computers would be encased in cement and buried on a remote island. I don't see where you get that anything stored in a password manager is "easily accessible to malware"; that's just not true. I do appreciate you watching and commenting!

@ericesev

Жыл бұрын

I'm trying to find a security whitepaper for NordPass. How are the passwords protected when they are fetched locally into the app?

@ericesev

Жыл бұрын

For Passkeys that are stored on an Android phone, these are automatically accessible though all your desktop/laptop browsers using the normal FIDO prompts in the browser. So there isn't really a need to sync them on the desktop/laptop. Even security-minded individuals get distracted and make mistakes and can accidentally download something harmful. That's why FIDO started as a hardware backed solution. But it didn't take-off well because folks needed to buy additional hardware. Passkeys are in some respect a usability compromise on the original design. Passkeys use the secure hardware-backed storage on devices many folks already have (their phone). And Passkeys attempt to avoid human mistakes by linking desktop browser FIDO authentication with the Passkey storage on the phone. That way the private key portion of the Passkey can stay within the secure enclave on the phone.

@ericesev

Жыл бұрын

Info stealer malware families typically target password managers too. J e s t e r is one example. By "easily accessible", I meant once running there are no hardware protections in place to prevent these info stealers from reaching the password manager in typical desktop OSs (Windows/Mac). That's true for any application that is downloaded; it has full access to every other application running as the same user and all of that user's data. As mentioned in a prior comment. Even security-minded folks have been tricked into accessing harmful content. IMO it's not realistic to expect that anyone is 100% capable of avoiding it. So why take that chance? I understood the analogy, but this is not a situation where the computer needs to be encased in cement. This is a situation that FIDO has tried to make very simple. It's just a matter of putting the Passkey in a hardware-backed storage location so the private portion can't be accessed by malware. And Passkeys make this very simple for a user to do, as they already have a phone with hardware-backed secure storage.

@ericesev

Жыл бұрын

... and apologies for making multiple replies instead of just one. KZread's spam algorithm was nuking my comment.

Hallelujah! Thank you so much. I am so grateful for this discussion. Moving now after trying 1Password, Keeper, and Bitwarden and fumbling around on their interfaces. I LOVED how LastPass worked. So easy! Forced to clean out this closet with so many records and surprised to see sensitive records in there, too. I really appreciate your insights and expertise here. The saving grace here is a thoroughly cleared out pw closet, across the board, and fresh pw for all sites. Thanks, too, for the deal!

@KathyZant

Жыл бұрын

Thanks for letting me know, Barb! I'm glad you've found something that works for you. I agree, this entire experience with LastPass has been disappointing. There is a lot of cool stuff coming to solve some of these problems. Check out my video about passkeys. kzread.info/dash/bejne/aaBlzsOooKuTpLQ.html This new technology is going to make us all a lot safer. Until then, I'll continue to share what I know about these things so you can make good decisions to protect your data. Thanks for watching!

I trialed Nordpass a few months ago. I currently use the free version to secure copies of my secure notes. For my needs, a cloud-based password manager needs to have a great browser extension. A desktop application is unnecessary for me. I use KeepassXC for desktop app purposes. I would use it exclusively if it had a good extension, but honestly, it sucks. Keepass vaults support nested folders, tags, custom fields, and a variety of encryption methods and key stretching customization. They support TOTP as well. The best (most functional) extension I can find (among the big cloud-based password managers) is implemented by Bitwarden. Bitwarden also supports nested folders, TOTP, and custom fields, but has no support for tags. Close enough. The Bitwarden browser extension does just about everything I need. Auto-fill is user-prompted, and can be prompted three different ways (Ctrl-Shift-L, clicking directly on the extension icon next to the URL bar, or Rt-clicking anywhere on the page with the mouse). If I need to copy/paste information from my custom fields, I can do this pretty easily, right from the extension icon. The only annoyance I have with it is having to use the extension icon, instead of rt-clicking with a mouse, in order to input custom field information. Well, you can't have everything, I guess. Nordpass has some severe limitations with its extension, and the service is incomplete. It supports folders, but not nested folders. It doesn't support tags, and doesn't implement TOTP. Entries cannot be edited directly within the extension. Instead, it opens a new tab to the website. There is no support for custom fields, so all of that stuff needs to be stored in a secure note, forcing me to flip between tabs in order to do a copy/paste. The extension is nonfunctional without first installing the desktop application (hassle/annoyance). Logging into Nordpass is a 2-step process, forcing you to first log into Nord, then into Nordpass (that's two long, strong passwords to memorize -- not convenient at all). As a free service for saving secure notes, it's perfectly serviceable. From the browser, you can Ctrl-F search notes, and edit very easily. As a cloud-based password manager, it's quite lacking. It's pretty though, unlike Bitwarden and KeepassXC. Functionality wins over appearance, in my opinion.

@KathyZant

Жыл бұрын

NordPass does have browser extensions, and you illustrate some good points. I do use NordPass for cloud purposes and have non-cloud secured data as well. I personally do not use browser extensions at all for credentials. I think each of us has our own methodology of authentication and credential management and it's great there are so many ways of doing this now. Thanks for watching.

NordPass need a 2FA generator in my honest opinion. One of the reasons I didn’t go with NordPass a while back. I need everything in one place. Especially if you’re coming from 1Password, with a bunch of amazing features and cool login methods. And you also have the CLI tool + different ways to store/use SSH etc.

@KathyZant

Жыл бұрын

Yeah, that was one glaring obvious omission. Not a big deal for me as I use the phone for 2fa but I could see some people missing that. Working in software, I know that's not a huge deal to add. But if they had a list of priorities, passkeys is a bigger future-proof need and I know they're working on it, so I'm excited about that. Passkeys is the future.

@blaaxz

6 ай бұрын

Does the 2FA option now exist?

With this deal you can get 2 years of NordPass with 1 month free for a personal account: www.nordpass.com/kathyzant (or use code kathyzant on checkout) Business accounts (must register with a biz domain) can get a free 3 month trial of NordPass. www.nordpass.com/kathyzantbusiness (use code kathyzantbusiness)

Why is subtitle (cc) turned off?

@KathyZant

Жыл бұрын

Just doublechecked and subtitles are turned on in the KZread studio. Since it was just published, there might be lag on KZread's end?

@szabog11

Жыл бұрын

@@KathyZant It's on, now - thx

@KathyZant

Жыл бұрын

Great thanks for letting me know!

So you picked NordPass in the end..? Why did you pick this app over 1Password8? Just curious. Like I mentioned before, I miss son features with NordPass, and I want a much better/quicker way of logging in to all different websites and apps. I myself, have actually gone back to a very basic tool called pass, it’s a terminal-based tool, stored and encrypted locally on my machine. And it also has OTP support. I tested a bunch of password managers yesterday, and I was soooooooo disappointed with all of them. And not to talk about Bitwarden. I can’t actually believe people are still using it. Btw, great and informative video 👍🏻

@KathyZant

Жыл бұрын

Did you try Keepass? That could be fun for you if you want a retro trip to the 1990s, lol. Yeah, everyone is trying to fix the "passwords are broken" problem. I went with NordPass for the bulk of my credentials because they're adding passkey support in the next few months, and I'm future proofing myself. I use multiple devices/computers to do things and I really want to be able to use one passkey across them easily when needed. So, here I am for now. Thanks for watching.

@ditchcomfort

Жыл бұрын

@@KathyZant Yes Passkey has been around for some time at least with 1Password and Apple I think. My only hope is that developers implement this new feature pretty quickly. At the moment you can only test it out with 1Password because nobody has implemented it yet. Or perhaps a few but…

Can you be my mentor please, because am so interested in cybersecurity