Articles

How Password Managers Work – Computerphile

July 23, 2019


Are we back in the realm of passwords? We’re back to passwords..
Actually, we’re back to password managers because I never haven’t done a proper video on this
I’ve talked about password managers briefly while I was talking about, you know good passwords and things like this
But they’re very very important nowadays, right? So, what is it that’s good?
And why is it okay that we’re putting all our eggs in one basket?
Just before we start the video about how they work. Would you recommend a password manager?
100% yes, there are probably some use cases where you wouldn’t want to use a password manager, but off the top of my head
I can’t think of how many I think that your security is better with one right
Even though there obviously is some
Small amount of risk that you take by putting your passwords in an encrypted database on the internet
Like I’m you know, I’m not a security researcher
But the majority of security researchers use pasword managers and would advocate the use of password managers
The weakness of password managers that we’ll talk about is is really implementation detail right in theory
They’re very secure. But in practice is auto-filling on a website a good idea?
I suppose it depends on what the website is, you know there is talk of maybe
Invisible forms, but get auto-filled them and they capture the passwords, things like this
Let’s first think about what it is that a password manager does and why we would want that right now
We’ve talked about passwords before and the issue really is if your passwords are going to be secure
Generally it is going to be quite hard to remember a lot of them right
Yes, we’ve talked about coming up with a good password
And I think it’s quite plausible to remember one or two very good passwords, but to remember two dozen or three dozen or a hundred
That’s getting a little bit silly. Right? So then your choice is to write them down right or to use the same password all the time
which isn’t a great idea or
To use a password manager and quite simply a password manager is a big list of your passwords encrypted, right?
We usually call it a vault sounds cool
So you have you know Amazon and you have your password for Amazon and then you know
EBay and your Gmail and so on all the different products that you use all the different
passwords that you have and in a lot of password managers
You can store additional information like passport numbers or social security numbers depending on if those things are useful feature to retrieve them
Obviously having this is kind of having all your eggs in one basket
What it’s going to do if someone gets it is unlock everything you have
Because the password manager only make sense if you use it for eveything. Otherwise I kinda don’t know why you would use it at all
So obviously this is going to be encrypted, right?
So this is going to have some kind of encryption on it using some kind of key
And so the real question is, you know, where we store in this key whose key
Is it who has control of this key who can get to this key?
That’s really what it comes down to is whose key is this? Obviously some password managers have cloud storage solutions
Where you can upload passwords off your mobile phone and get them on your laptop and vice versa
Sometimes even share them with other family members things like this. These are kind of those products I’m talking about today
If you have to use a product like KeePass, which is entirely offline
Any cloud storage is on your own back. Then the sort of the security implications are slightly different right in some sense
It’s more secure because you have control over that thing but I would argue back
given what we were going to talk about not a huge amount more secure and at the cost of quite a lot of convenience and
to be honest for the majority of users convenience is important if you don’t get
Convenience out of a past manager you aren’t going to use it effectively and then you’re going to weaken your passwords or use the same
Password and you’ve undermined everything anyway. We’ve encrypted all these passwords of a key now
I’m going to talk about how we manage this key and how we
Prevent the server from being able to access these passwords as well and attackers and things like this
I’m going to talk in the general sense, right?
I’m familiar with how thing things like LastPass in one pass would work and I’ll sort of nod to them a little bit but I
Want to talk some in general about how password managers do this because they have quite strict requirements
The encryption with KeyPass is fairly similar a slightly different algorithms used for encryption
But the same it doesn’t have the same requirements on security in transit because it’s not in transit, right?
So because you’re using key parts locally
Really your master password is in it’s sufficient to drive a key and to decrypt your your data, right?
There’s no issue of what what if the server learns your password because there is no server the first important thing to know about
Password managers cloud-based password managers is that they don’t do any decryption or encryption themselves
And all of your vault is encrypted by you at the client side and then sent encrypted to the server
All right
so that’s I mean
That’s a good thing because it means that they don’t hold the key in their database
Which would mean that over sort of a dodgy rogue admin or if it got leaked that will be a huge problem
so really there’s kind of two problems we have to solve right one is how do we
derive a key that the server doesn’t know but we can use and
The other question is how do we convince the server to send us a vault in the first place because in a cloud-based?
Solution this encrypted vault is sitting on a server. I want to say my login
Is this my master password is this please send me my vault so I can decrypt it
But you’ve just sent them the master password isn’t that really bad idea, but that’s the question. We’re going to try and answer
so
The way this works is we’re going to be deriving keys based off our master password
All right. So all password managers are going to have some kind of master password
Please see them through the part of a video most people’s passwords are not sufficient for use as a master password
I mean
It has to be very very good if he’s any
Variation on the word password or have any of the numbers 1 2 3 4 in ordering it you need to delete those passwords
Maybe delete your account out of shame. Yeah, so
But that’s a different video. We’ve already covered this a lot
All right. So there’s going to be what we’re going to do is we’re going to perform two derivations from this password
We’re going to use it to produce our vault key right using some function, right?
So we’re going to perform some function to turn our master password into a bowl key
I’ll try and sort of note differences between different password managers as I go and
We’re also going to use our master password for some kind of authentication mechanism with the server
So what’s going to happen is we’re gonna take our master password. We’re going to authenticate with the server
It’s going to say yet
You are who you say you are but during that process it’s not going to learn what the master password is
It’s going to send us the encrypted vault
We’re going to drive a different vault key and that’s what we’re going to use to decrypt the password locally
We add or remove any parcels we want we encrypt the vault and we send it back to the server and it gets stored
Now this will seems a little bit implausible. We’ve just logged in using our master password
We’re also decrypting using our master password. This all sounds very fishy
It all sounds like someone just wants all my passwords and they found a way to convince me to put them all on a big
List for them, but actually it’s quite elegant. There’s quite elegant solution to this
So let’s start with the way that LastPass does it might because it’s fairly common and then we’ll talk about the differences with say one
Password what LastPass will do is it will produce a master password by appending your email and your master password
so I’m going to call that pass it’ll append them together and it will
hash them and this is going to be a very very strong hash function by a hash function with many many iterations
To prevent it from being brute-force
We talked a little bit about this during the password cracking video
But the idea is that if you’re going to break a password
You need to get it a lot of times and the slower that hashing process is the slower
Your guesses are going to be and the longer it’s going to take when you say iterations
Do you mean that it’s hashed over and over again, or..? Basically yes,
you actually use an H map to do this and the function is called pbkdf2 p
BK
df2
Password-based key derivation function – and what it essentially does is it takes your string that you’re hashing, uses
H mac and iterates it a number of times and in this case iterates is a hundred thousand times
Right, which is a lot of times. And this is going to produce your vault key your vault key
Or at least it’s going to produce sufficient bits from which you can drive a vole key, right?
So your vole key thing gonna be I know
256 bit AES key or something like this and it’s going to be used to decrypt your vault now
But we don’t have the vault because the vaults on the cloud
So we’re going to take our vault key V, which is this one.
We’re going to append our password again to it. And we’re going to do the same, you know epic hashing function on this
another 100,000 times
Well, yeah
You’ll do fewer times on your client and then you’ll do I think it’s five thousand on the client and then it will go to
the server for another hundred thousand or something like this something ridiculous because you know
The server’s got the power to do this
What we’ve done here is we’ve got our vault key and our password in here, which is essentially our primary identifiers
But would hash them so you can’t get to them and that’s what we’re using to authenticate ourselves
now at the server end that’s going to be salted and hashed as
normal for storing in a database
so there’s no easy mapping for an attacker to get from here back to here because you’d have to
Essentially undo this hash which can’t be done or guess the hash which is incredibly slow because of how many iterations we’re talking about
so what happens is you create you use your master password to derive a vault key and then you use that vault key and your
Password again to derive an authentication key, which is what is used on the server?
So there was no way for the server to extract this vault key because it’s probably lost on the other hand only you have the password
so only you can produce either these keys are you’re the only one that can request your vault and you’re the only one who can
Encrypt and decrypt your vault good right if your master password is good, right?
Another link to my video. Just keep putting them in.
not not password one then. not password one goodness
No, we’ve been over this and not correct horse battery staple
All right
so
One password for example is ever so slightly different one password has a public and private key
Mechanism because they want to be able to share
vault around
so your volt is protected by a key and that key is protected by a public key the private component of which is
Encrypted by your master password and one parse what happens to also add another bit of unknown, which is your secret key
which is a device or
account
Specific thing held on your device the idea being that it makes it a little bit harder for the server to theoretically break your hash
One password also doesn’t derive an authentication key straight off the master password this way
They use something called a password authenticated key exchange, which is kind of like diffie-hellman
But with passwords where your master password is used as part of a handshake with a server to authenticate you instead
All right
The advantage of that being that they have to vend break diffie-hellman
First before they can begin trying to hash your password makes it it makes a little bit harder the chain of decryption gets quite complicated
Because you have a master password and secret key derived master key, which is used to decrypt your private key
Which is used to decrypt the vault key, which is used to decrypt the vault
Go and animate that
All of this is susceptible to something like malware or key loggers
That’s absolutely so this is in some sense the biggest hindrance with password managers
Is that if you get a key logger or a website where it’s accidentally auto-filled in the wrong place or the implementation
Is not as theoretically sound as the theory is that’s when you’ve got a problem most
Security researchers and people in the security industry would argue that the benefits you get from having a good password mechanism like this
Outweight the drawbacks of there possibly being a potential breach, right? But it is something it is something into concern which is why
That place is like one pass would have bug bounty programs
Where if you find a issue you can let them know and I’ll try and fix it nice and quickly
There’s a question of trust. Do you trust these companies?
I suppose I probably do and it’s because their business model wouldn’t make sense if they weren’t trying to be trustworthy, right?
They’ve got one or two agendas, right either
they are trying to store my password securely so that I keep giving them my yearly fee or
they are trying to
Use all my passwords to hack my accounts in which case of other ways to do that and it didn’t seem like a very good
Business model. Yeah
But I suppose it’s possible.
I don’t I don’t I don’t lie awake at night worrying about that
There are differences between how the password managers manage their
Different ways of doing authentication and doing the encryption and things because I’m not too worried about them
I think that they all look pretty plausible
and I sort of looked into them and I think
The security industry in general was fairly pleased at how things are going
I think you use the one that works best on your devices and you you know is the price you want and the convenience you
Want and so on. It’s a product at the end of the day
now I’ve got the token so I can load a value in add the bay leaf emerged or into it and
Store it back and hand the token and now I’ve got the token again
I can load something and Yuki and a2 I
Send that to Bob. He’s going to take this receiving function a – now Bob wants to send a message
So he’s going to take his this is going to be Bob one

You Might Also Like

100 Comments

  • Reply *S U C T I O N* May 2, 2019 at 12:18 pm

    SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL SHILL

  • Reply Ahmed Saleh May 2, 2019 at 12:43 pm

    One of the reasons that I wants to use my password on other systems not belong to me, I'll have to get the password from any password manager service provider then type it their

  • Reply justpaulo May 2, 2019 at 12:54 pm

    So essentially this is just like PGP. There is a private key and a "public" one. You give the public to the password manager which then returns your vault, which then you decrypt using your private key.

  • Reply Orion May 2, 2019 at 1:07 pm

    So much less stress watching these out of interest and not as part of a cramming session.

  • Reply Daniel Astillero May 2, 2019 at 1:13 pm

    LastPass is earning a lot from Enterprises.

  • Reply TheIgnobleSavage May 2, 2019 at 2:04 pm

    How secure are the passwords generated by LastPass autogenerate feature and are they more or less secure than creating your own from a phrase or line in a book with numbers and symbols added?

  • Reply joakim kuusemaa May 2, 2019 at 2:46 pm

    I was hoping to see you do this topic, thank you 🙂

  • Reply A Hateful Guy May 2, 2019 at 2:54 pm

    11:05 or use open source password manager and create your own private server password manager

  • Reply PJ Pollina May 2, 2019 at 3:00 pm

    #PoundGang4Life

  • Reply Dave Howson May 2, 2019 at 4:17 pm

    And then there are people who store all of their passwords in Chrome

  • Reply shreepads May 2, 2019 at 5:05 pm

    2:18 "use it for everything or don't bother using it at all" is pretty silly advice.

    Also KeePass 2 is great!!

  • Reply Valueless Dollar May 2, 2019 at 5:56 pm

    I use keepass2 and make backups (4 different local locations on flash drives with obscure filename) EVERY TIME I edit it.

  • Reply Jeff Albert May 2, 2019 at 6:10 pm

    Always enjoy these videos. But can you talk more about account recovery keys? Or master decryption keys and how they work. A lot of these services have methods to recover your account incase you lose your master password with master keys, how do those work?

  • Reply Sam The Quantum Atheist May 2, 2019 at 6:37 pm

    PBKDF2 is really bad… ASICs against them can easily be made. They should use Argon2.

  • Reply I think I'm Hipster May 2, 2019 at 8:02 pm

    You can increase the security by using multiple password managers for a different subset of your passwords and then use a password manager for your password manager!

  • Reply Jason Remy May 2, 2019 at 9:14 pm

    Frodo Baggins has let himself go…

  • Reply Liokardo May 2, 2019 at 9:29 pm

    He looks very serious in that thumbnail.

  • Reply ThePotaToh May 2, 2019 at 9:48 pm

    Or you can do it like me, just create gable passwords for my accounts and then whenever I need to login I just click 'Forgot password?' because that's how secure everything really is.

  • Reply The Sickest Kunt May 2, 2019 at 9:53 pm

    KeePass is super convenient if you can set it up

  • Reply MrHatoi May 2, 2019 at 10:29 pm

    The only reason why I don't use a password manager is because I don't want to end up using a public computer or borrowing someone else's computer and not have my password.

  • Reply Clumber Snutch May 2, 2019 at 11:24 pm

    The tragedy is I had always really enjoyed Dr Pound's videos until I found out he's l*ft-handed.

    Unsubscribed.

    There's enough debasement in this world without what I had considered a wholesome and informative channel promoting this vile carry-on. I could really rather genuinely never trust my passwords with a sinister

    The LORD told us so. Psalm 116:16.

    Like if it made you feel unwell and ruined an otherwise informative video.

    Reported as offensive – I expect to many it will sound petty, but in this world turning away from the saviour, promoting l*ft-handedness as anything but a spiritual illness is sickening.

    I'm praying for you Dr Pound, you will receive HIM.

  • Reply Balls Are Bankrupt May 2, 2019 at 11:42 pm

    Hi mate, have you ever considered using "clearasil" it maybe worth trying for you

  • Reply Hamoon Hassan May 3, 2019 at 12:42 am

    I understand all of this but I have a question
    when your vault is completely set up and is secure but I want to add a new device I enter my login credentials and the vault comes to my new device but how does the private key come to my device?

  • Reply Jamie521 May 3, 2019 at 1:49 am

    i love the blender animations

  • Reply thegamecracks May 3, 2019 at 2:09 am

    I find this video is a bit too quiet.

  • Reply Taylor The Warlock May 3, 2019 at 2:54 am

    DR. MIKE POUND MY FKN GUY

  • Reply KrisGlasier May 3, 2019 at 3:27 am

    Lol… I think I overkill my iterations. On my offline key manager, I've got over 50M iterations for my key. It's like a 5 second wait before connecting to the cloud storage it's in.

  • Reply Palundrium May 3, 2019 at 3:50 am

    He keeps talking about how the server might crack your password. It's not about the server cracking your passwords. It's about the people who hack or steal your data off that server doing that.

  • Reply Michael Hammer May 3, 2019 at 6:25 am

    Super awesome! I love password topics covered by your channel. Please more. Thanks!!
    Also: A recommendation which password manager Dr. Pound is using would be great!

  • Reply C0deH0wler May 3, 2019 at 7:20 am

    1:41 Or use a strong base-password and append suffixes and prefixes depending on the site? Double-authentication either way tho!

  • Reply SirCalava May 3, 2019 at 8:33 am

    The reason why one would not trust those companies is because primarily they're in the business for the money. We've seen the same go wrong with CA's (certificate authorities), their primary concern is money and your security comes second.

  • Reply Steven Shawa May 3, 2019 at 1:00 pm

    10:15, the thing we came for.

  • Reply Raymond May 3, 2019 at 2:15 pm

    nice try Dr Mike, but i don't think people will simply give their passwords away to these 3rd party. I mean, probably boomers will since they don't even know how smart TV works, but nice try.

    Text File saves the day. Next phase is "encrypt everything".

  • Reply Outfrost May 3, 2019 at 3:13 pm

    As a modern, cross-platform, drop-in replacement for KeePass, I'd recommend KeePassXC.

  • Reply Brock Elmore May 3, 2019 at 3:44 pm

    You say there are three methods of keeping passwords, writing down, same password, or password manager. The best solution is to create a very simply formula that you can easily remember that creates unique passwords for each website. Off the top of my head, some base password that is easy to remember + some easily repeatable function (rule) that spits out a few characters to add to the base password. A hacker would have to have 2 hacked passwords + do specific code cracking to figure out your function

  • Reply Emperor Blobby May 3, 2019 at 6:02 pm

    What's wrong with just using a script that takes a key word like "amazon" and your master password and deterministically generates a password for you on the fly, locally, nothing stored?

  • Reply Ilias Velaoras May 3, 2019 at 6:43 pm

    Obligatory mention of KeepAssXC, KeePass DX on android and Syncthing for syncing files across devices

  • Reply Kieran May 3, 2019 at 8:35 pm

    How does a “forgotten my master password” work on LastPass then? Does it just wipe the vault once you’ve proven your ID via e-mail or OTP? I haven’t needed to use it, but I’ve noticed the option is there on the login page. If they can’t decrypt my vault, how can I regain access after a password reset?

  • Reply TednTin May 3, 2019 at 9:53 pm

    Keepass FTW
    I use Keepass with 2 step password, one is my password and other is a local key file
    and keepass add-ons allows for browser autologin and also cloud storage.

  • Reply nagualdesign May 3, 2019 at 11:13 pm

    The main security risk, arguably, is that the companies that offer this service collate a lot of data on people's activities, which has a market value these days. They're supposed to remove personal data and make it impossible for their clients to view your particular data directly, but it's still got a tonne of dodgy holes and nefarious possibilities. Best case scenario, it's large corporations looking for aggregated statistics to help them corner markets or whatever. Still stinks, in my opinion.

  • Reply Kevin Tipker May 4, 2019 at 3:40 am

    Notepad number 1# password manager

  • Reply thought2007 May 4, 2019 at 6:05 am

    How can we be sure that the server is actually properly hashing the password e.g. 100000 times? If I wanted to save server costs I could just hash it once and my customers would be none the wiser.

  • Reply pulancheck May 4, 2019 at 7:04 am

    I think I was looking into Keepass or similar cloud based solution (something with a browser plugin) & saw they have the "forgot password" functionality like you see basically on every site.. How is this even possible?
    So, you have your whole vault encrypted with the "master password", vault is only decrypted locally on server is stored only encrypted.. but that "master password" is also your login password for the site..
    And if you forget it .. you can change it?? That means IT wasn't the actual key used to encrypt the vault, right? I know they mention something in the video with key derivation & concat with email then hash. But still..

  • Reply Wilker May 4, 2019 at 10:02 am

    this is The Lockpicking Lawyer and what i have for you today is the concept and function of the password managers.

  • Reply FlorimondH May 4, 2019 at 12:56 pm

    I still don't get how is it safer to basically have one password to rule them all.
    You are going to get this one password stolen and it won't matter how strong and diverse the ones in the safe are.
    What did I miss?

  • Reply Santosh P.S.S. May 4, 2019 at 2:04 pm

    Using an online password manager will always be 100% risky.

  • Reply Santosh P.S.S. May 4, 2019 at 2:08 pm

    So if we change our passwords every 3 months or so, it’s super secure…

  • Reply MirkWoot May 4, 2019 at 5:17 pm

    Second factor + master password!. I think that should had been mentioned. Tho still pretty bad if someone gets on your computer.

  • Reply TheGamerX May 4, 2019 at 7:07 pm

    I love repeating the start here some replays
    0:00
    0:00
    0:00
    0:00
    0:00

  • Reply Erik May 4, 2019 at 8:19 pm

    What is your favourite Linux distro Dr. Mike?

  • Reply Star Core May 5, 2019 at 1:13 am

    Your brain is the best password manager.

  • Reply Joep Eijkemans May 5, 2019 at 12:29 pm

    isn't the time you send it to the server only hashed 5000 times a vulnerability in this case? or is hashing something 5000 times more than enough and the extra hashing on the server is just overkill?

  • Reply quicktastic May 5, 2019 at 2:08 pm

    All the encryption stuff is great for computers storing information, but a person still needs to remember the plain text password required to unlock it all. For that, people write it down on a sticky note and hang it somewhere around their computer so they don't forget it.

  • Reply sandeep m May 6, 2019 at 3:06 am

    Next time speak clearly 🤔🤔

  • Reply Noobs DeSroobs May 6, 2019 at 3:28 pm

    There are two problems with password managers:
    1. Each new random login requires two logins and an internet connection.
    2. If you forget your password for the pw manager, you are screwed.

  • Reply Manick N May 6, 2019 at 4:07 pm

    Or the business model could be funding from a 3 letter agency.

  • Reply Tantrix Spa and Wellness May 6, 2019 at 7:51 pm

    They say… control one rule them all…” – not recommended if they got “that” password.

  • Reply Conner Turner May 6, 2019 at 10:35 pm

    See Dr Pound, Like Video

  • Reply Andrey Lucas May 7, 2019 at 10:11 am

    Lastpass was breached at least once.

  • Reply i j May 7, 2019 at 3:50 pm

    What passwordmanager would you recommend?

  • Reply V S May 7, 2019 at 6:11 pm

    Нихера не понял, попросите его перерассказать по русски

  • Reply Sadder Whiskeymann May 7, 2019 at 6:57 pm

    FIRSTLY, I am sorry for posting this a few times on relevant vids, but so far got no answer..
    here it goes:
    can someone explain to me how an attacker would use bruteforce, when almost every password-protected-site has captcha and secondary veryfication (via my mobile phone)??
    i mean, you get to try 3 times only and then it becomes blocked.
    anyone?

  • Reply David Bowman May 7, 2019 at 7:15 pm

    what I do for my passwords is a DB stored on one of my cloud drives, a secure password that is required to access it and a key file kept on a USB drive that I carry with me. I would rather have to reset all of my passwords in the event that I lost that key file than have my data stolen.

  • Reply KazzArie May 7, 2019 at 9:09 pm

    +1 for 1Password. Been using it for several years and cloud syncing it to a service with 2-factor authentication. Even “losing” it all it was easy to recover and never let me down.
    If you aren’t doing it now, get on it👍🏼

  • Reply TheObservationalMode May 7, 2019 at 11:23 pm

    Using keepass 2 as I prefer the idea of holding the database on my own system.

  • Reply Muse May 8, 2019 at 4:02 am

    I need a dreamy computer hacker nerd like this one in my life. Ps password managers are a damn security risk. I keep all of mine in my head. Can’t hack my brain…yet.

  • Reply Joseph Konan May 8, 2019 at 4:18 pm

    But which password manager should we use??

  • Reply Vince Oliverio May 8, 2019 at 5:46 pm

    Mike Pound is the best. Love this guy.

  • Reply Benny Sachdev May 8, 2019 at 10:41 pm

    that marker sound hurts my ears and body

  • Reply Robert Browne May 9, 2019 at 5:29 pm

    What about "password321"? I bet that one's rock solid, but I can't use it now because wanting to share my brilliance has foiled me yet again.

  • Reply Baruch Ben-David May 9, 2019 at 9:30 pm

    Write them down and put the list in your wallet. Don't identify it as containing passwords. About as safe as a credit card.

  • Reply Tristan Schönhals May 11, 2019 at 10:41 am

    If you want Convenience with offline password managers I can only recommand using keepassxc and synchronizing your data with a p2p solution between your devices (I use syncthing)

  • Reply Crystan May 11, 2019 at 10:51 am

    I wouldn't trust a password manager under any circumstance, for a variety of reasons. To begin with, most offer a master password reset of some form or another, which means that at some level they have a means to decrypt your data in order to reassign a new password to access it. If your vault key was truly the only way to access your stored passwords, this should simply not be possible without the original. Ultimately it's an all-in approach which makes me uncomfortable.

  • Reply Trevor Lowe May 11, 2019 at 12:51 pm

    Why do they have the most ugly thumbnails in history?

  • Reply Hassan Selim May 11, 2019 at 10:48 pm

    I use HMAC to deterministically generate my passwords (master + domain) every time I need them, but then I use LastPass on my phone for a few passwords for fingerprint auto-fill convinience.

  • Reply Stephan May 12, 2019 at 7:11 am

    Why are password managers a new hype? Mac OS X and Linux Desktops GNOME and KDE have integrated password managers for 15 years now and most apps are using them.

    You should not rely on third-party password managers. You should demand that Microsoft does its homework and create a standard password manager that all Windows apps can work with without proprietary browser addons and all.

  • Reply amitkk May 12, 2019 at 7:36 pm

    What if you forget the password? Do you have a "recover password" option? If so, how does it work?

  • Reply Thorolf May 12, 2019 at 10:28 pm

    It all fell apart when a company names Flightsim Labs (FS Labs), a producer of overpriced flight simulator addons, smuggeled a PW sniffer into their installer. This installer demanded admin rights and was somehow able to read the Chrome passwords and possibly others, too. All of this was to combat software piracy, of course. Something this very company had done, too, btw. So the customer buys a 140 Euro software, grants admin rights because otherwise his expensive and as per EULA not refundable software won't install, and without the customers knowledge the passwords would be uploaded to the companies server. Unencrypted, if that still matters. Of course they got away with it.

  • Reply Thamer Al-saadi May 13, 2019 at 6:21 pm

    I started using an online password manager after this video. Honestly, first I thought using an offline based one could be safer yet they're so annoying and tidues

  • Reply Luuk Wuijster May 14, 2019 at 9:02 pm

    I dislike password managers. What I do is I have three "levels" of passwords. The lowest being for sites I really don't care about and where I most often do not use real data.

    The medium strong password are for sites I do use my own data, but if they all get hacked I am not in big trouble or anything.

    The hardest password I use is very long and contains variable bits spreaded around the password. I use this password for things like Email, PayPal and Amazon. For example my password is: (+)Really###LongPas###sword€4809
    What's on the ### is the variable bit, in email I use the first three letters of the email client I use and three random numbers. These bits change for every import account I have and this way I only have to remember some small things. It works really well for me.

  • Reply OutlawRL May 15, 2019 at 11:54 am

    I use KeePass

  • Reply number 33 May 15, 2019 at 1:11 pm

    Most of my important password protected online services require me to enter a small subset of the characters, often using pull-down menus. How do password managers cope with that? If I have say a 20 character password am I going to have to count to the 7th, 12th and 19th characters of a displayed password in order to enter them?

  • Reply VH May 15, 2019 at 7:17 pm

    Trusting trust, I guess.

  • Reply ConvexEd May 15, 2019 at 10:18 pm

    bless keepassxc

  • Reply Powerfred May 16, 2019 at 5:35 pm

    How does chrome's integrated cloud password manager fit into this? Is it significantly weaker in terms of crypto?

  • Reply Jos Nienhuis May 16, 2019 at 8:43 pm

    In other words, use keepass with nextcloud hosted on your own server for cloudsync and keepass2android (probably some iOS equivalent out there) and don't be reliant on big companies like LastPass. After all they're a freakin big bulls eye!

  • Reply NickMC512 May 17, 2019 at 8:32 am

    I see Dr. Pound, I know I am about to learn. I tap the like button, tap the play button, and commence learning.

  • Reply Alex Brown May 17, 2019 at 11:19 am

    A video on how masked passwords work would be awesome!

  • Reply George Marcus May 22, 2019 at 6:38 pm

    Take a shot every time he says "master password".

  • Reply Yash Gaikwad May 24, 2019 at 5:37 pm

    I need Tom Scott for this.

  • Reply And One May 30, 2019 at 7:37 pm

    I maybe understand 10% of what Dr Pound is talking about but he does it with such a passion and enthusiasm that I´m still clicking on the videos when I see his face.

  • Reply Todd Marshall May 31, 2019 at 6:17 pm

    Is a password manager needed when one, you are the only one who knows it, two you never change it, three no one else ever sees it. the biggest problem with password managers is that it's like writing your passwords down. The biggest threat to password security is password interrogation. If you never see the password you can't know whether it's weak or strong. All passwords then become equally strong.

  • Reply Tiavor Kuroma June 2, 2019 at 8:24 pm

    keepass has a dropbox addon and many more.

  • Reply Tiavor Kuroma June 2, 2019 at 8:32 pm

    how secure is the function "use windows account"(as key) alone without additional keys?

  • Reply Don. June 9, 2019 at 9:36 pm

    just make your own password manager
    %100 risk-free 😛

  • Reply Scott June 13, 2019 at 6:16 pm

    Just use 2 pass on as much as you can. Doesn't matter if you use the same pass a lot then

  • Reply Cannon Fodder June 15, 2019 at 6:13 pm

    ? How many petawatts are wasted calcuating squares + sums of redicously long characters sequences all because humans are gready cheaters?
    Should we edit human brains/ideologues to remedy this disease?

  • Reply Adi Carlisle June 22, 2019 at 12:09 pm

    What do you call it when you encrypt yourself a clue to a super long password in the style of this
    for example: xj]S7uGPfqJG (smirk-shape-phone-myDr-respect-if)
    p.s. not a real password

  • Reply Saad Hassan June 26, 2019 at 11:26 pm

    Would really love to see an actual programming language or any subject tutorial from Dr.Mike Pound. love the way he conveys knowledge, so easy to understand.

  • Reply zaidster111 July 19, 2019 at 1:21 am

    Is this a sponsored video? If so your argument at 11:20 is invalid.

  • Leave a Reply