Naomi is the reason for happiness whenever she uploads.

@NaomiBrockwellTV

Жыл бұрын

💛

@iangreen180

Жыл бұрын

Always delightful!

Chapters: 00:00 Intro 00:28 Why are Password Managers Important 03:07 People Can’t Type Randomly! 04:05 Criteria for Choosing a Password Manager 05:48 Online, 3rd-Party Services 08:35 Online, Self-Managed Vault 10:16 Offline, Self-Managed Vault 11:18 Best practices: CHOOSING A MASTER PASSWORD 12:22 Best practices: SECURITY QUESTIONS 12:52 Best practices: Autofill 14:16 Best practices: BACKUPS Also, if your comment was removed, it almost surely wasn't me! Comments get removed automatically all the time and there's nothing I can do about it. I suggest you keep trying to post until it sticks! 💛

Excellent episode. Just to give a bit of background: When I want someones passwords, I install a keylogger on their system (trivial for most targets). Identifying passwords with that is relatively trivial. What I am after is the master password for their password manager of choice, be it the built-ins from Firefox, Chrome, various "Wallets" and so on. Some of those I can then just copy the encrypted database to my own VM and I have access to everything. Simplified explanation, but that's the basics. Naomi gave the ONE way I can't (easily) do that: Use 2FA, on a SEPARATE device. Use an old iPhone or Android phone that's permanently in airplane mode to run the 2FA app. Write down the 2FA tokens or print out the QR code, store them somewhere safe. Preferably IN a decent safe or lockbox, depending on your budget and security needs.

Thank you Ms. Naomi for this! People should consider using password managers nowadays.

Not being a techy I decided a few years ago to pare down and go old school in things like banking and bill pay. But now getting all this info makes me feel more confident that there could be a safe way to move more digitally. Thanks bonza beaut mate . Seeya

@NaomiBrockwellTV

Жыл бұрын

💛

@billfarley9015

Жыл бұрын

It's "pare down" not pair down.

@brucelovrin4786

Жыл бұрын

@@billfarley9015 thanks for correcting my spelling.

@CommodoreGreg

Жыл бұрын

@@brucelovrin4786 I also assumed it was pair until I read this. Some idioms are so unexpected. ..

@brucelovrin4786

Жыл бұрын

@@CommodoreGreg yeah I know English is a funny language that mixes alot of different root dialectics from surrounding countries, I guess that's why it's so hard to get it right every time. Cheers. I now understand that "pare " comes from French I think it being a term from culinary terms but I'm not 100% sure of that.

Thank you Naomi. ❤️ your vids. Very informative and useful.

Another thing you can do to be extra secure is not actually store your full passwords in your password manager, make it "double blind" (Example: Every password has an extra PIN or phrase at the end that isn't saved in the app) As long as you know that the passwords saved in the password manager aren't complete even if it gets hacked you're full passwords won't be revealed!

@TheCocoaDaddy

Жыл бұрын

That's called a "password salt". Great technique!

@XxDarkXxXSasuxX

Жыл бұрын

A key problem I could see with this is that websites still represent a point of failure. More than likely your passwords will be discovered on a hacked database and not your password manager, and in the odds of a targeted attack, they could potentially see what you are salting with. The more websites that your passwords are leaked from, the more data that they have to determine any patterns.

@TheCocoaDaddy

Жыл бұрын

@@XxDarkXxXSasuxX That's why I use salt AND pepper on my passwords... :D (j/k)

@davidbevill2833

Жыл бұрын

​@@TheCocoaDaddy 😂

@monkeyseemonkeydo432

4 ай бұрын

@@XxDarkXxXSasuxX Not if you salt differently for every website

Great video. Especially because I'm looking to start using a PW manager. I really wish you had done that "next video" comparing popular managers. Thanks for the info here, however. So helpful.

Been using one for years. Highly recommend

@jacksoncremean1664

Жыл бұрын

its easier than trying to remember your passwords

@NaomiBrockwellTV

Жыл бұрын

Absolutely

Very useful video, thank you so much! 🙏

Great advice. Thank you.

Good advice, as always. BTW, I've always liked the two retro-future items you have behind you, the rocket ship to the left (from my view) and the TV (?) Radio (?) to your right. They both look familiar but I can't place them. What can you tell me about them?

Great episode! Thanks, NB. Nice artistry on the whiteboard 👏🏼

@NaomiBrockwellTV

Жыл бұрын

I am artiste 👩‍🎨

@4biddenknowledge108

Жыл бұрын

@@NaomiBrockwellTV May I ask why you remove my comment

@MarioDallaRiva

Жыл бұрын

@@NaomiBrockwellTV Oui, oui! 🖼

@NaomiBrockwellTV

Жыл бұрын

@@4biddenknowledge108 I didn't

@4biddenknowledge108

Жыл бұрын

Scroll all the way down at the bottom then you'll find digi id

Hi Nayomi Thanks for this video. It is very helpful for us. How about browser password managers? I'm sure there is a privacy problems on them but is it safe to use password manager of community based web browsers such as FIrefox?

An early "Happy Birthday" for you from all your friends. May you have many more.

Another video stuffed with good advice. Looking forward to the upcoming video reviewing a few popular password managers!

@NaomiBrockwellTV

Жыл бұрын

🙏

Awesome stuff! I would be interested in more password manager content for sure. My threat model isn't very high, so on Linux I still use an encrypted document and manually copy and paste, and I randomly generate long passwords with 'pwgen -s'. Then my clipboard is set to single-entry history and automatically flushes as soon as I close the password document. On Windows, I just use a browser file manager with primary password. I already consider everything on my Window's drive as being spied on, so I don't have much drive to do more to it. Password managers have always been something I've wanted to get into, but it was always hard to choose which one. So I am looking forward to your completing the password manager ark of this channel! Cheers Cx

@NaomiBrockwellTV

Жыл бұрын

Yay! Coming soon!

@Nyowind

Жыл бұрын

What password manager did you pick?

👍 I hope bitwarden keeps backup of vaults so we never lose access to our passwords

@johnszatkowski6898

Жыл бұрын

Most "good" managers allow for encrypted backups and should be done once a month to an offline device such as a USB drive, SD card, or a NAS storage device in case your phone or PC takes a dump!

Two things that might turn up. I used a password manager that could not log me into a certain website. The credentials entry screen could only be reached from the link in the home page. Worse, to be more secure (presumably from automated attacks), it would change the underlying field names so the password manager could not identify them. Only manual entry was possible. Because of that I switched to using a usb stick. Every site I use has a different password generated by lastpass or other rng based system. They are generally painful to type, so copy from usb stick file, paste into password field, all good. And then .. I started encountering sites that have paste disabled. I'm sure the developers of those sites meant well but they did it wrong. One more. My usb stick is always with me, so a good thing. But. There is no usb slot for a standard usb plug on my phone. There is no ideal solution. Tradeoffs required, as always.

right on right on Naomi! Tell em

I remain skeptical about password managers, I understand the security issues regarding passwords, I just have concerns over the way all technology is pushing us to depend on third party algorithms to do everything for us. I saw a Snowden interview where he said we have to choose between security and privacy. There is a trend to avoid talking about this and pretend we can have both in full, then we fall into the convenience and simplicity trap where some complete stranger did all the work for us. Reality is more nuanced and complicated then can be covered in a 15 minute (or 15 hour) video it's too easy to just buy something and assume it fixes everything

Hi Naomi, great video. what's the brand of TV on the shelf, how bout that "rocket" that looks like a table lamp?

Another great video! Any recommended password managers that don't break the bank?

Keepass + Syncthing = 💥

what an awesome channel!

Thanks for the video babe

Thank you.

I decided to dump password managers and hide my passwords in plain site. It's embedded in a common windows icon in the system directory amongst a 1000 other icons. I highlight the necessary text inside the icon - covert it to base64 - then Ascii to hex...and that's it. No password needed. Also, Bot scanners would simply skip over the jumbled text, incase they were looking for keywords like 'account' , 'login' or 'passw'. I made an png avatar for my profile on a forum website. I applied the same technique. It's been there for 7 months already without being discovered. My passwords are literally in plain site on the internet, without encryption. I only have to remember the 4 sequential steps to uncover them. Although I did have to search for a site that didn't remove exif data from png files on upload. So that worked for me.

My passwords tend to be based on words on whatever song or video I happen to be listening to when I need a password, or words (but NOT proper nouns) on random pages of a nearby book. I have to write them down immediately or I won't remember them. Makes it a bit harder to use social engineering because I definitely don't base them on stuff you could learn from social media or even an extensive chat with me. Even I don't remember most of them.

to! Can’t wait to buy it, and getting startet!

Great video keep it up!

@NaomiBrockwellTV

Жыл бұрын

Thanks for watching! 🙏

Naomi is a very talented lady! I am starting to wonder if there is anything she can't do!

Hello, help me understand; if I use a password manager (NordPass) on my PC, and I allow the use of the long, complex) on my PC. Now I visit the site on my iPhone, will I need NordPass on my iPhone, and will they sync? Will it sync on my iPad? Is that how Password Manager works?

The service doesn't have to go out of business. How do you access the cloud when some drunk hits a pole and knocks out internet for a week? It's happened in my area. I dislike cloud services both because it means my data is in someone else's computer and because crappy internet means I often can't access it.

Ohhh, gibberish answer to security questions... good tip.

I use a password manager and diceware passphrases with one inserted random symbol or capital character. Make a two dice matrix, six columns horizontal and six rows vertical. Fill the matrix with special symbols and capital letters and roll two dice to select which symbol or capital character to use (first horizontal, then vertical). Then roll a dice again to select which word in order the extra symbol should be inserted in (1-2= first word, 3-4 second word, etc.). Then roll one dice once more to decide which place in the word to put the extra symbol (1-2=second place,3-4=thirdplace, etc.). You have now broken up one random word in the passphrase with a random symbol or capital letter. Your passphrase is now better protected from a dictionary attack because one word in your passphrase does not exist in any word list or dictionary so your passphrase must be brute-forced and that is hard to do when the character-set is above 16 characters (ideally 20+ characters). That is one way to do it, do your own variation of it. :) ps. I have no idea how it affects the bit-strength, but I suspect it will make it some what higher.

@NaomiBrockwellTV

Жыл бұрын

That is one complex system! But glad you’re being safe! 💛

@perengstrom3414

Жыл бұрын

@@NaomiBrockwellTV It is fun and exiting rolling dice and write down unique diceware passphrases decided by the universe that only you know about. :) I use them as master passwords and PC and mobile device logins. I use a password manager for everything else (web-accounts and other stuff). Passwords and passphrases are supposed to be hard, they are locks to your front door. A key hanging on a hook outside beside the lock is convenient when you come home, but convenient defeats the purpose of a lock. A lock is supposed to be hard, otherwise everybody can get passed it. That is my humble opinion anyway. Thanks for all great content you provide! :)

Absolutely positively necessary. I've been using 1Password for myself and my dad for the past year and it's blissful.

@FlamencoOz

Жыл бұрын

Me too

Naomi is greatness! Love love love your videos!

Doubt : on using keepassx or other offline.. one have to copy password and paste manually in the password textbox in a website.. but doesn't this make the password available on clipboard?

@JanekBevendorff

Жыл бұрын

Use the browser extension, which doesn't rely on the clipboard. But in general, you shouldn't worry primarily about the fact that malicious applications on your system could read the clipboard contents. Instead, worry about not having such applications on your system in the first place.

I moved to bitwarden not long ago. best decision ever!

Thank you uwu

More password content please! Particularly, 2FA and security questions. Some password managers now serve as 2FA apps, is this secure/unsecure? Also, 2FA apps now sync across devices. How secure/unsecure is this? Are there 2FA apps that require a master password? How to protect against SIM-spoofing and do I need to be worried? Are texted 2FAs or App-based better? ‘Cause I only use an app to keep the codes out of my Messages. Would it be better to use a Google Voice number for 2FA codes vs the number associated with your SIM-card?

@NaomiBrockwellTV

Жыл бұрын

If your passwords and 2fa are stored in the same system, it’s no longer 2fa, it’s a single point of failure. I would recommend not using the same tool for your 2fa as your passwords.

@alice5515

Жыл бұрын

And why is it often a Google 2FA? 😣

Thoughts on adding the same word or number to the end of every password without storing it in the online manager? On the one hand, if your manager is ever compromised, they won't have the full password for any of your accounts and hopefully you can recover in time. On the other, if any service is compromised, that "pepper" (as opposed to salt, I believe) phrase is now known and could make it easier to compromise other services' password hashes. But it feels like they'd have to compromise 2+ accounts and care enough to make the connection. Unless you're being specifically targeted, it seems like this is a non-issue.

@NaomiBrockwellTV

Жыл бұрын

I think adding an extra work to a password and not storing the extra part on the password manager is helpful for security

So many ways to be hacked, and so many different types of equipment. Which is more secure, computer or smartphone? Which operating system most secure, windows, Mac, Linux? What’s the most secure way of safeguarding your passwords which need to be changed on an irregular basis. This list is so huge that you need a memory manager to keep track of it all. Naomi, you need to create an ai of you, to guide and remind us dummies on equipment and staying secure on the internet. I no longer need a siri, I need a naomi for my online computing.

@NaomiBrockwellTV

Жыл бұрын

Haha AI Naomi coming soon ;)

@jr4062

Жыл бұрын

@@NaomiBrockwellTV great! Make it one of those holographic AI’s like princess L in Star Wars.

How I handle passwords: 1. Create a Truecrypt container (use Truecrypt v7.1a) 2. Create a spreadsheet in the container. 3. Save links, login names, and passwords in the spreadsheet. 4. You can save other sensitive files in the container as desired. When I want to log into my bank, I open the container which then becomes a new drive letter. I open the spreadsheet, copy the password, and then click on the link. It takes me to the login page where I then paste the password. Since I'm not trying to remember passwords I can use really cryptic ones. The only password I need to remember is the one to open the container. The only real drawback is that it's just a little cumbersome. But it's super secure. No one will ever suspect that the file is really an encrypted container, it looks like a random file. And even if someone tried, they won't be able to hack into it. Whenever I backup my computer, the file is backed up too. Lastly, I NEVER use my cell phone to log into sensitive websites. It's just not worth the security risk. I only do my banking from my home PC. I don't trust the online password managers. I won't do that.

good job on defcon karaoke last night!

@NaomiBrockwellTV

Жыл бұрын

😂😂😂😂😂 omg. Hi!

very good free or paid password manager which to choose

@NaomiBrockwellTV

Жыл бұрын

I recommend paid service, or self managed open source option like keepassxc

Good work Naomi. KeepassXC is my password manager of choice. Mainly because its open source. Really cool that you got in touch with the devs.

@NaomiBrockwellTV

Жыл бұрын

I was really grateful they chatted to me!

I've been using KeePass (many variants available) for years now. Unfortunately, I have not succeeded in explaining it to others.

@NaomiBrockwellTV

Жыл бұрын

Keep trying!

In The setup If the master channel is located in the top, next to the counter, then no - IT stays witNice tutorialn acceptable limits, when I play so of

If you can, use a different email address (or username) for each site. That greatly reduces your attack surface because the bad guys then can't easily link breached accounts together.

Is Nexus free for soft soft

Good, but all these are software based. What about using a hardware password manager? Could you discuss this?

🥰

Ily ❤️​

0:40 Isn’t it not a big deal if what’s leaked is hashed? My impression was that it’s not like it can be reverse engineered, so someone knowing the hashed version of your password is basically useless. Am I wrong?

@hammer86_

Жыл бұрын

The attackers can use a password cracker, but if the website uses salted hashes, then the attackers can only crack one password at a time and that would take forever. So, I'd say you're not wrong.

@NaomiBrockwellTV

Жыл бұрын

A few things: 1) many passwords are not salted, which makes them easily crackable. Many places even keep a list of common passwords in all kinds of hashed forms so they can recognize when the same version is used. 2) some passwords are weakly salted and also easy to crack. If a password is secured correctly then this should help protect you. Unfortunately this isn’t always the case.

@wombatdk

Жыл бұрын

In addition to what hammer86 and Naomi said: If your password is too short, no hash will prevent it from being brute-forced. Some people even just rent cloud computing time to do this, which greatly accelerates the process. Or use a botnet, same principle.

may I ask... where IS the next video with most popular password managers reviewed? I really wanted to find that info :(

@NaomiBrockwellTV

Жыл бұрын

That’s our next release :)

@blind5211

Жыл бұрын

@@NaomiBrockwellTV oh alright, thanks! I thought it was already released and I somehow missed it, I also know KZread sometimes blocks and hides some specific videos for me because they're unavailable in my country

I take the lazy route and use the build in password manager in iOS.

What do you think of Passkeys?

"There are no secrets to success. It is the result of preparation, hard work, and learning from failure." -- Colin Powell....///

Best Practices: 11:19

What if you have a keylogger on your device that you don’t know about Then you download a password manager Then you set it up with a master password, and start generating passwords Now the hacker has access to everything

Nice tips, but you forgot to talk about dangers of using your browser's built-in password manager

@NaomiBrockwellTV

Жыл бұрын

Will talk about browsers in a different video

Brave password manager is offline on your devices i think... it syncs via its own chain across your devicss no need to create a google account unlike google it saves and only accesible online

Been using KeePass, but no idea what this 'XC' variant is. Some companies on the internet are a pain, in that they outsource advertising/promoting etc., which quite often results in you getting communications from that company with odd addresses, making verifying them a pain in the .....

@glowingone1774

Жыл бұрын

xc is the QT fork of keepass

@ReubenYap

Жыл бұрын

@@glowingone1774 I don't think it's really a fork, more of a port afaik. KeePassXC is written in C++ compared to Keepass' C# and is therefore more cross platform compatible.

@glowingone1774

Жыл бұрын

​@@ReubenYap nope its a fork of KeepassX Which itself was a fork so indeed it is a fork

@ReubenYap

Жыл бұрын

@@glowingone1774 keepassx is a port not a fork

An old work colleague did the sticky notes on his monitor thing at home. He got broken into and things did not go well for him after that.

@NaomiBrockwellTV

Жыл бұрын

😰

@alchobum

Жыл бұрын

Everybody knows you are supposed to put the sticky notes on the bottom of your keyboard. Nobody would ever think to look there.

URL autofill filtering isn’t helpful as many websites change the URL of the login page overtime, particularly if the page has been updated, keeping the old URL separate for easing downgrading if there is an issue. Or they have several different login URLs depending on which part of the service you’re using; for example Amazon, Prime Video, etc. Since this autofill filtering is broken by authentic services - people become complacent in copy-pasting login credentials, or worse, altering the URL in the password manager to be a higher level, allowing for some phishing URLs to go undetected

"in our next video we compare some of the most popular password managers" did you ever make this video Naomi?

@NaomiBrockwellTV

Жыл бұрын

in the works! :) We are a small team with very little funding, working as fast as we can with a long backlog 🙏 Will probably be out in December

✅

@NaomiBrockwellTV

Жыл бұрын

🙏

Genuinely Curious.. "6 random words - 77bits protects against every ExcepT the NSA"? Then why do all the entropy spreadsheets say for example: the 6 word passphrase would take around 96 years to crack and thats with the power of 1 Hundred Trillion brute force guesses Per Second?

@NaomiBrockwellTV

Жыл бұрын

Because that’s the power of the nsa

@Note10plusAura

Жыл бұрын

@@NaomiBrockwellTV So what Exactly is the power of the NSA? Even if they have 9,999,999,999,999 hashes per second, it would still take 10 years?

Spaceballs.

The worst problem in my opinion is even in incognito mode your user name is still auto filled. So a long random conglomeration stored in my brain is the most secure.

Ok mom. I'll get one now.

@NaomiBrockwellTV

Жыл бұрын

Good man.

IS this a rerun episode? :)

@NaomiBrockwellTV

Жыл бұрын

nope!

Naomi: You NEED to use a Password Manager! I do: Human Resources, oh she's good!

Munch Skull - well done ha ha

THIS.

I use only one random number password, about 9 digits I have used all my life and a 4 digit pin i have never changed. Never have I been hacked. It took about two weeks to memorize my password, and you can't ever hack a random number password. If you already have a good password, you need no other. Never use a password that is worded. When banks ask for security question, answer it correctly so you dont forget, just spell it different. Mine I use to like, to question the name of my first pet is "Kats"

My password is: incorrect So if I forget my password, the computer tells me: your password is incorrect

@savagepro9060

Жыл бұрын

@i-mm-o res email user: "either your password is incorrect or your username"

You can also use different usernames, also somewhat random. It's just one more obstacle for a bad actor to overcome.

Password managers (software-based ones) are vulnerable to exploits. It's a tricky one

@puravida5683

Жыл бұрын

I would agree, even the NSA got hacked!

@doooofus

Жыл бұрын

i dont really see the point in a dedicated piece of software as a password manager tbh, dont see why an encrypted text file doesnt achieve the same thing. i just have a veracrypt container for mine but because i use triple cascaded encryption (i think mine is aes-twofish-blowfish but i havent really had a reason to check it since i set it up) i cant actually decrypt it from my phone unless i pay for the (closed source) full version of EDS, so i have a second text file that gets encrypted with some pgp app i forgot the name of, and just manually sync them when i get the chance, not rly the most techy solution but it works for me. also i dont have some of the more sensitive passwords on there in case my phone gets pwned

@Note10plusAura

Жыл бұрын

@@doooofus I've wondered that for a while, to the point that i question, is it possible an encrypted txt file could even be slightly MORE secure than say KeePassXC(which is great in its own right)?

@doooofus

Жыл бұрын

@@Note10plusAura surely it would due to reduced attack surface

@ReubenYap

Жыл бұрын

@@Note10plusAura @doofus When you have 100s of websites, an encrypted text file can be a bit of pain to search and copy paste (esp on mobile). Also if you want to keep that synced is more involved.

If someone has there banking password in a password manager they may want to look into whether their bank will cover them against fraud if it gets used illegally. I suspect not.

She never made a vid about which password managers are best😢

@NaomiBrockwellTV

Жыл бұрын

We have a backlog for the next 6 months, but it is in our pipeline :) we are a very small team with very little funding 💛

Simple stay off line unless you buy groceries or do banking don't install twitter Facebook or other social media on your mobile device I use a 32 character password and I copy paste it from an encrypted file

Y is my name in the thumbnail...,.n that's the 2nd time someone has put 35 in relation with my name y.? I'm not 35

I'm not good with computers. My cat studies IT. She does all that stuff in my house

What doesn’t work- telling people “don’t reuse your passwords” What DOES work? Saying, “Passwords + Toilet paper NEVER reuse!

@NaomiBrockwellTV

Жыл бұрын

Haha I like it

That's all fine and well. Unless, you are a senior citizen! Seniors dred even getting near a computer, and everything needs a user name, password and secondary verification to boot.

Encrypt your post-it and its safe ;)

@NaomiBrockwellTV

Жыл бұрын

lol

Password Password

'Most people default to really bad password habits' Because we're being forced to due to really bad password policies, forcing users to use upper and lower case, numbers, special characers, sacrifice a virgin and use an extra key forced by elves in the moonlight, while at the same time capping the max length for some weird reason. I could use a sentence of hundreds of characters(say, from a book I love) as a password and it'll still be safer & harder to crack than an unmemorizable password of 18-24 characters.

@NaomiBrockwellTV

Жыл бұрын

Adding those elements make the password harder to brute force. How are you going to remember 100s of different unique sentences for each of your different accounts?

@wombatdk

Жыл бұрын

​@@NaomiBrockwellTV He's not completely wrong. Humans CAN remember words far better than random junk. The math is roughly like this - depending on keyboard you can type just under 100 different characters "easily". Most native speakers know about 40k words but can and will remember unfamiliar words as long as they're not too oddly spelled. Using combination probability n!/(r!*(n-r)!) gives us: ~1.3e18 for 16 random characters out of 100 characters. ~8.5e20 for 5 words. (presuming all same case) ~1.0e15 for 4 words. (presuming all same case) Considering that the average length of a word in English is 6 characters, you end up with a password length of 30 for a 5-word password. Add capitalization and you basically are more secure than random characters, while at the same time being able to remember passwords pretty easily - unless you have memorization issues, which is a valid concern. This only applies for using RANDOM words from your native language, not words from a book.

hot chick giving IT advices... nice! like that content.

What are you with such a YUBI key? as USB changed every 3 years. or even disappeared on laptops?

Password managers are great for preventing you from being tricked by a fake copy of web site , the URL won't match no matter what tricks they do

Algorithm.

I just write all of my passwords on a piece of paper. I also have it on a jump drive that I keep in a secure place. If you use a pw manager, and it gets hacked, you are screwed.

90%+ of people should just use an online PW manager service. You want something that frees up your time and attention, not something that's an added burden to deal with.

password managers make it simple to get all your passwords just by getting 1.

@NaomiBrockwellTV

Жыл бұрын

That's what 2fa is for

fyi lastpass had vulnerability recently lol