I store ALL my Passwords in AWS
Get started deploying YOUR OWN instance of Passbolt! j-h.io/passbolt Huge thanks to Passbolt for sponsoring this video!
Help the channel grow with a Like, Comment, & Subscribe!
❤️ Support ➡ j-h.io/patreon ↔ j-h.io/paypal ↔ j-h.io/buymeacoffee
Check out the affiliates below for more free or discounted learning!
🖥️ Zero-Point Security ➡ Certified Red Team Operator j-h.io/crto
💻Zero-Point Security ➡ C2 Development with C# j-h.io/c2dev
🐜Zero2Automated ➡ Ultimate Malware Reverse Engineering j-h.io/zero2auto
🐜Zero2Automated ➡ MISP & Malware Sandbox j-h.io/zero2auto-sandbox
⛳Point3 ESCALATE ➡ Top-Notch Capture the Flag Training j-h.io/escalate
👨🏻💻7aSecurity ➡ Hacking Courses & Pentesting j-h.io/7asecurity
📗Humble Bundle ➡ j-h.io/humblebundle
🐶Snyk ➡ j-h.io/snyk
🤹♀️SkillShare ➡ j-h.io/skillshare
🌎Follow me! ➡ j-h.io/discord ↔ j-h.io/twitter ↔ j-h.io/linkedin ↔ j-h.io/instagram ↔ j-h.io/tiktok
📧Contact me! (I may be very slow to respond or completely unable to)
🤝Sponsorship Inquiries ➡ j-h.io/sponsorship
🚩 CTF Hosting Requests ➡ j-h.io/ctf
🎤 Speaking Requests ➡ j-h.io/speaking
💥 Malware Submission ➡ j-h.io/malware
❓ Everything Else ➡ j-h.io/etc
Пікірлер: 150
Quick note, you obviously don't need to throw this into the cloud -- you can self-host something locally on your own intranet with something as small as a Raspberry Pi if you want. :) Check out all the sweet stuff Passbolt can do! j-h.io/passbolt
@JPEaglesandKatz
Жыл бұрын
I know you were sponsored by them but I would have liked to some honest insight from you about the actual password manager itself, how it does things and how secure it is... etc.. Possibly a comparison with some other prime ones, bitwarden, lastpass. .. I mean I've heard nothing about this one would be bettter or good... (again aside from you being sponsored by them)
@tg-lu6hl
Жыл бұрын
Could you take a look into sliver c2 ?
@wolfiexii
Жыл бұрын
I can't believe you recomended this without 2FA ... I thought you were serious about security.
@JPEaglesandKatz
Жыл бұрын
@@wolfiexii Yeh... I had high respect for some of the indept videos but this really looked and sounds like a quick sponsor cash grab. No 2FA / hardware key support makes this product null and void. And I guess John doesn't respond to his viewers raising concerns either.
@wolfiexii
Жыл бұрын
@@JPEaglesandKatz Aye, what starts out good, goes down hill fast when cash and politics get involved.
It is good, but passbolt lacks 2FA unless you pay, which I think should come standard in 2022.
@robertgleaden5509
Жыл бұрын
I agree, We've ended up going with Psono purely for the 2FA
@clb92
Жыл бұрын
A password manager without 2FA? Thanks but no thanks... I think I'll stay with Bitwarden.
@cryptoafc7655
Жыл бұрын
@@clb92 me too, Bitwarden with yubi key
@00Klingon
Жыл бұрын
Bitwarden has 2FA and can be self hosted. That is the standard all competitors must meet to even be considered.
Just self-host Bitwarden. Open source, audited and trusted.
@weiSane
Жыл бұрын
@Hoxton stfu..they probably have a reason for it
@VIVEVIEV
Жыл бұрын
Bitwarden > assbolt
@lel7531
Жыл бұрын
@Hoxton lmao true
@QDLmcfresh
Жыл бұрын
Vaultwarden for more features
@moose43h
Жыл бұрын
@@VIVEVIEV oof
Nice video . Thank you
It's still the digital equivalent of keeping the front door key under a stone. Last pass learned it the hard way. As for using an open source tool for storing your secrets, OS has both the pro and con that everyone can see the source code. If someone finds a bug there's no financial encentive to fix it if the finder has nefarious plans.
Looks like a great tool only if it supported at least some kind of MFA. For now I will stick with Bitwarden and Keepass.
Is it possible to protect files like PDF /Excel using passbolt ?
Nice!
Even if you host it via the „on-premise version“ it doesnt really justify as on-premise as aws can literally do whatever they want to your instance. That includes modifying the passbolt installation to dump your username + password to some logfile ;-) personally i wouldnt trust any hoster with such data.
$0.046/hr is like $30 a month? Too expensive for password manager imo
@biackshibe
Жыл бұрын
don't they have a free tier
@paulstelian97
Жыл бұрын
@@biackshibe They have a theoretically-free tier that for me never really ended up being actually free.
@swapnildinkar
Жыл бұрын
@@paulstelian97 the software itself is free.. the $0.046 is for using the resources on AWS - EC2 instance, etc
@paulstelian97
Жыл бұрын
@@swapnildinkar I meant the free AWS tier itself (not the one picked by this). It says free but I tend to pay and quite a bit actually.
@StrifeJester
Жыл бұрын
Run it on digital ocean for $4/month.
i use bitwarden its opensource too
Looks great but honestly I would not use a password manager that didn't at least support TOTP 2FA just for my own peace of mind. Bitwarden's free plan has TOTP 2FA and also allows self-hosting and free access to their cloud hosted instance. Passbolt looks great but it's not for me until it supports TOTP 2FA for the community edition.
@NessHypegaming
Жыл бұрын
THIS.
@Byter09
Жыл бұрын
You can also self-host vaultwarden (a Rust implementation), which comes with all premium features unlocked.
Not tryna be mean but comes off to me as shill-y "I need to store my passwords somewhere. I will immediately use Amazon and Google to do this" Though, I am also enjoying watching your videos now that I just discovered them, so props! It is good to teach people about gpg keys and stuff. But there are other hosting and domain options, lol To me looks like amazon sponsored passbolt into sponsoring this video
would've been nice if you followed some best practice and put the instance in a private sub and do the same setup, that would've been great, i doubt anyone would let their passsword manager app just that open.
Thant s a good idea. I seriously need to write down each password instead of remembering them
We used passbolt but migrated to passwork because it just had more of the stuff we need.
Sounds really inefficient to use an EC2 instance for such things. Not just are EC2 instances expensive compared to other VPCs, the instance will also probably idle 99% of the time. On the other hand you could just sync your KeepassXC file with S3, Nextcloud, Google Drive, ... For big companies with a lot of users this is maybe useful. But I would not recommend it for personal use. But still there a lambda version would be nice, so you safe costs and do something good for the environment (less electricity, less hardware, ...). And let's not forget to implement a backup system. Keepass synced to the cloud is there already more secure, as copies are local and on the cloud.
I don’t see why they use an external provider for SSL when certificate manager would have just been another line in their cloudformation script. On top of that, same for cloudfront…
Passbolt vs Bitwarden(vaultwarden) ?
why not bitwarden?
mehhh..I mean Bitwarden is the standard right? So not seeing a compelling reason to switch plus theres a lack of 2FA which is weird.
why not use a normal password manager like last pass on so? and whats the best free password manager? Thanks!
@i_sometimes_leave_comments
Жыл бұрын
There's no 1 "best" password manager, or "best" anything most of the time. It largely depends on your own preferences and requirements. 1. Do you trust the company who made the password manager? 2. Do you trust whoever is hosting the server? 3. Do you want it to be accessible from anywhere in the world or just from inside your intranet? 4. How many sets of credentials do you need to store? 5. How many people do you need to share some of those credentials with? 6. Do you want a CLI client for automation or just because you love the terminal, or do you just want a plugin/extension that works on your favorite browser? 7. If you're *really* into tech & security, what specific features and configurations do you want on your self-hosted server? 8. How many milliseconds do you want to shave off of each login? 9. [Insert some other seemingly-obscure preferences a bare-bone Linux user might think of] I use Arch Linux but I wouldn't recommend it as "the best OS" to someone asking for a beginner Linux distro. I like Python and Rust but can't recommend them without knowing what someone wants to develop. John's sponsored so he's showcasing it, but for all we know he could have just cancelled his subscriptions after making the video (I'm not saying he did, just that he can). You can use Lastpass if it seems useful. I used it for years until I had some issues with it and switched to Bitwarden because I liked some of the things they offer for free (e.g. not having to pay for MFA).
@belalal1902
Жыл бұрын
@@i_sometimes_leave_comments Thanks man, appreciate it!
@KevinArellano
Жыл бұрын
This defeats the purpose of you watching this whole video. It's most secure since your hosting it yourself. As long as you don't get hacked ( which quite honestly is very slim unless you frequent on sketchy side of the net ) you are not relying on a 3rd party to handle your credentials. Now you obviously are compromising "easiness" over "security", but you are more than welcome to go the easy route and have a higher risk of it getting leaked. LastPass get's hacked twice a year lol
Your tone of voice and demeanor make this hard stuff seem simple......but WHY would someone want to go through ALL this just to configure this?
I'm a grumpy old BSD guy who believes "worse is better". Which is why I'll stick with trusty ole pass.
Did I see you just log into AWS as root! Tut tut :) I use GNU Pass for my personal password manager.
This is so freakin scary. I am always worried my pass word file database and app is making connections to the internet.
Ohama means family, right?
Enpass is better if you need one Vault per user PassBolt is nice if multiple users need access for one vault, but with different premissions
@PixelHamster
Жыл бұрын
enpass is paid, closed source and has been buggy on linux for years :P I only use it cuz i've a lifetime licence from back when it was 5 bucks
The thumbnail wants to kill me
vaultwarden
So, it's open source, but all the good functions which would be better than other services are paid? Even freaking folders and MFA? So keepass if you using it for your own or bitwarden for multiple user is still the better option for hosting tbh (and even has a open-source community rust server implementation). And it's 360€ for a year? That's insane... Not an alternative.
lol all good until you have to grab your phone in order to enter 2FA, it should be included on the CE. Anyways ill stick with Vaultwarden.
I use keepass for personal use, but this looks great for corporate environments
How much does it cost using Amazon?
@MrNolimitech
Жыл бұрын
Apps are Free, but the Instance is 30$/month $0.046/h = $1.104/day = +30$/month
@chibiichen
Жыл бұрын
@MrNolimitech seems too much for just hosting a password manager. Is there a way to get it cheaper?
have been using self hosted KeePass database on Google drive for the past 10 years. have avoided all the "safe" online password sites and their oopsie-daisies data exposures. I'm good with my solution (which has 2FA built in for those that are going to bring up it's only password)
Is BitWarden still a great password manager?
@An.Individual
Жыл бұрын
I would say the best
@bennihtm
Жыл бұрын
It's the only one I know of that has been independently audited multiple times and never had any data leaks
@clb92
Жыл бұрын
I like it. You can host your own Vaultwarden server too, if you'd like.
Make a video on evilginx2
I kinda wonder why a hacker would recommend your passwords to be stored in a cloud service? that would really be the last resort where i would put my passwords to be honest. Bitwarden has 2fa out of the box. also opensource and can also locally be installed that all and for zero costs .
plot twist: it really found elon musk's car location
@England91
Жыл бұрын
I'm glad I wasn't the only one that noticed Elon was mentioned in the setup screen
thats kinda scary how casually you overwrote your existing primary ssh key
@Freeak6
Жыл бұрын
He is in a virtual environment. One he probably created for the video, so, it's fine.
@custard131
Жыл бұрын
@@Freeak6 ye i get that but didnt even hesitate :p not from doing that but ive felt the pain of locking myself out of my servers before and its not fun :(
The master password is legit
Im not sure how anyone could recommend this when they paywall MFA, SSO and auditing. What a complete joke.
Nice, but it's not your own infrastructure, it's still cloud.
Passbolt sucked so much when I had to use it. Never again. "stay logged in" never worked and I got logged out after 5 minutes and it got no app during the time. Bitwarden is so much better in my opinion.
Just make sure to mute your amazon doorbells or you will lose your passwords
Probably just self hosting bitwarden is better. Open source, audited, and good community.
@KevinArellano
Жыл бұрын
Isn't it the same concept though?
This is rude.. you''re not showing or explaining the pricing it'll take to rent the ec2 instances..
13:04 locating Elon Musk's car 😅
Why are non of these tutorials on actual in-home clients there all I ya here my rdns like show us a real world scenario where we have a ubuntu computer kicking around and we want to to run on it and be accessable.
Is this promotional video.
Nah, Bitwarden for me.
Bitwarden ruls.
I use my mind, fuck passwords services
Very cool. I still prefer LastPass simply because it has my 500+ passwords and is sync’d on all my devices. They have been compromised a few times though, so that’s one con. I’ve been considering bitwarden, but I’m pretty happy with LP.
@FaZekiller-qe3uf
Жыл бұрын
You can export passwords as a csv and import it to another password manager.
@redtrillix2
Жыл бұрын
even with all the breaches they have?
John Shere your csv file for educational purpose
I think most people in here are missing the use-case for this. Great functionalities in passbolt honestly. You can admin the access control to passwords for a team eg IT, sales, production etc very easily. This is for businesses. What's wrong with having to pay for that.. I for one thank you John, as this is exactly what the startup I just started working in needed.
@Iwantapplez109
Жыл бұрын
Yeah it's great until AWS servers have an oops, and then hashes get leaked. That and MFA is paywalled (i mean come on, this is like an EA game, get a half-assed product and get the rest as paid DLC). imo KeePassXC is the way to go. It's free, completely local, you're in control of everything, and if you need syncing, you can use syncthing, or just copy the database file over to your other device. And if you're *really* paranoid, you can always use a keyfile or hardware key to encrypt your database.
i store on blockchain
thank you for letting me know, ill be trying to hack your aws now xd
@SolitaryElite
Жыл бұрын
@Hoxtonyeah that was a joke but I have a reset password poisoning exploit for aws so I could probably do that if he doesn't have 2fa🙃
@England91
Жыл бұрын
@@SolitaryElite from what I've seen the comments the 2FA is in the paid service not the free service
I was never a fan of password managers..
Looks great but Costs 34 dollars a month. So be carefull
any pros over using vaultwarden🤔
Aferin
Bitwarden all day.
is he leanring us how to hack?
@stupidmariogamer6952
Жыл бұрын
@Hoxton i mean any video
Any 1Password Fans? 👇🏼Like
First
@SidTheGreat420
Жыл бұрын
No one asked
@KratosConPelo
Жыл бұрын
Literally nobody cares
this guy is all about money, once asked help because I was robed , nor even responded and I contacted him by email, after I unsubscribed him and lost track , today I see this video, and for this because they sponsored him he makes an huge promotional video...I dont trust the good faith of this guy...just saying...maybe he is a good guy, not to me but who cares right!!!
@josemicod2
Жыл бұрын
Call the Police idiot, he doesnt make that type of services, its ridiculous.
@majoryoshi
Жыл бұрын
i’m gonna assume briefly that this comment is legit, most people aren’t gonna help some stranger on the internet get money after being robbed. not easy to even confirm it to begin with, much less figure out how much you should get. you’re not entitled to getting money after being robbed. for the video being sponsored we don’t know much about the contract and that’s common, but we can likely infer that the contract said something about making a video about setting it up. when there’s money changing hands, you need to learn to take what’s being said with a grain of salt, and even then the FTC prevents sponsored videos from being forced to say something they don’t believe. this goes for every creator online, not just john
@Hdio99
Жыл бұрын
@@josemicod2 well I did, its not the point, I asked help for understanding how was it done, so if he is so eager to make videos about security if you are here just to promote and get money out of youtube and not even do human things I call him out on that!! simple, but in a normal maner without calling names like you did, fan boy...maybe the idiot is other...maybe you have it so often in your mouth maybe
@Hdio99
Жыл бұрын
@@majoryoshi well I understand what you say, the point is I was reaching him not to get the money back for that I made contact with the police, of course he has no power to go after, but because I was in shock and I wanted to know/understand how was it done, it was from a BINANCE app someone hacker entered my pc and entered the security of BINANCE APP like butter avoiding second A2F security...etc...so you are assuming to much I believe
@josemicod2
Жыл бұрын
@@Hdio99 nobody work for free, only scammers
I store all my passwords in my keepassxc offline i trust no one.
KeepassXC for me
"open source", why is 2FA behind paywall? trash