How Secure Is Your Password Manager? 

I reckon my notepad document can do the job

My threat model is mostly me forgetting my own master password to the password manager. Everything else is a lesser threat.

Can't lose your password if you never knew them 😎

I store my passwords in quantum superposition, I either remember them or not and I don't know if I do until I need to use them 😎

I loved it in Battlestar Galactica when they would make such a big deal about the fact that none of their systems were networked to each other - and the one time they did need to run a network, they treated it like the most batshit insane idea anyone could possibly have and as the most dire situation they could possibly be in. If there’s one benefit to nearly being genocided by A.I., it’s that you sure do learn to respect OpSec right quick.

I love that even keepass can store documents and images too. I use it for my lease papers, student loan and IRS documents.

In my opinion, it's best to educate on "good enough" or "reasonable " security. The best in class security which works well for high value targets is not necessarily the most appropriate for the average citizen. Additionally, no matter how good your password practices are, you are still vulnerable to attacks on the services you use, like a credit rating agency, online tax submission, insurance services, any business or utility that stores your credit card or has direct debit capabilities. Many of these services are difficult to avoid using too. Perhaps we can teach people more about context however. Like don't keep your passwords for work in the same password manager as the one you use privately. There is also the balance between security and convenience. Being logged out automatically from your bank after 5 minutes of inactivity is good, but perhaps you would be annoyed if your social media accounts did the same. The same perhaps also with multifactor authentication. All that being said, this video does have very good points :)

I write my passwords in a notebook. This is literally air-gapped level security and highly effective against cyber threats .

On keepass, if you have a secured printer, you can actually print out your passwords very neatly and organized if you fancy having a physical backup.

I store my passwords on the tablets God gave Moses so I think I am good

keeping them written down on a piece of paper is more secure than many password managers, assuming you don't lose it

Another thing to take in consideration is malicious browser extensions, both ones that present themselves as a password manager or connect to your password manager

Also worth adding the Ukrainian and Taiwan flag emoji to your passwords. This keeps you safe from the Russian and Chinese hackers who won't have them out of principle.

jokes on you I write my passwords in my walls

Been using pass since 2013 and do not think I will stop any day soon. Simplicity always triumph!

Great to see that Jason Tatum is so knowledgeable about this stuff

Man I gotta say this. But when I see your face and hear voice there's just something pops up inside of my heart ❤. Love you so much.

My favorite password manager is the combo-locked journal that never leaves my backpack, with cryptic riddles and secrets that need to be used for translating the passwords

your videos have gotten a lot better over the years! gg!

I like the convenience of cloud-based solutions. Tbh i dont have a problem with them if the client is open-source and I can verify that it sends and retrieves nothing that isnt encrypted locally.

Hey Mental Outlaw , do you have plans of discussing security on self hosted services ? ...

bitwarden is the goat of password managers

First time I actually see in one of your videos a vuln that I have used to complete a HTB machine, specifically one called Keeper. It was so satisfying to see that and be like "oh, oh I know that one, I've already used it to hack stuff".

my exp rates go up 10% every time mental outlaw uploads.

My paper notebook has 3 defenses: a locked door, a dog, and a gun. Hack that glowie. ATF grabs the gas

Every time I see Keepass I always read it as "keep ass"

great video as always

I actually remeber all my DIFERENT passwords as my insane brain is the safest software I know of

Very informative, thank you. I don't know why I never considered that there could potentially be a program that reads keyboard inputs. Having something like that sending info back is wild.

Cloud based has a purpose. It's to build and update someone's dictionary db.

This video wasn't what I expected and it's useless for my needs❤

thanks for valuable content :D

This is good content!!

RU-vid keeps unsubscribing me from you, why, this is one of my favorite channels on youtube, youtube stahp

Text editor does wonderfully for me

I'm sure others use the same technique, but I've learned to type in a certain way so that I could just remember a phrase as my password for any given login and then type it quickly while the end result looks nothing like the phrase I memorize.

LOL! Love the Cheeto dead bolt!

I love my password manager, aka my arduino that emulates a keyboard and typed the same password every time it’s plugged in

A video about how to securely use your android phone or overwrite it like with tails for example etc would be handy.

I trust these hands more than the cloud

You can roll back your database with gdrive. Did it a couple of months ago when it became corrupted

What is your opinion of the trend of moving to passkeys?

How's notepad in a veracrypt container?

If someone somehow changed your keepassxc database password, or corrupted it, or whatever, you could just restore from your backups couldn't you? If you are managing your own password database your have backups, right?

I like your club penguin shirt

Keepass ftw

A self hosted password manager is doing the trick for me.

I use passport, it comes with Gryphin Router. It's a block chain storage container

good video

Very secure (notebook on my desk requires physical access)

I use both Bitwarden and Proton pass manager. 👍

Good video.

What do you think of Bitwarden?

Not watching but the trick is to have a password you use for everything. You’ll use that as your second half. The first half can be stored in a password keeper. This way when you autocomplete your password there’s still a bit of manual work to do to get logged in.

Doesn't that vurnability also mean that if i get compromised via Software, that this software can change my password and then steal my vault?

is it problematic when you still use apples built in password app?

Jason Donenfield? Yes, this is the same man behind Wireguard!

In my last company we were considering a cloud password manager. We decided not to. 5 Months or so after said service was hacked.

0:26 Flamin’ hot security

I just create other password for every website and then when I login in, I try 30 of them before guessing right. Works? Works.

Friendly reminder to backup your keepass files to the cloud/NAS (preferably in a encrypted 7z folder)

vaultwarden goated

Is there a password manager that also hase asymetrical encryption? this is to, for example, back up recovery keys for hard drive encryption that should not be easily accessable and rarely if ever used. the private key could then be kept somewhere very safe for a rainy day.

I use bitwarden with the anticipation that ill self host at some point.

Selfhosted Vaultearden, syncing only when im in the local network. Kinda works like a pseudo-sync.

How do you feel about self hosted vaultwarden?

never thought I'd see jayson tatum telling me about password managers but here we are

I made my own terminal based password manager with 256AES encryption that requires a specific usb to run

What would you say of something like Bitwarden, which is open source, but still cloud based

I save passwords on notepad and i change 1 or 2 letters in a password and i remember it. So even someone looks into it. It's not completely a correct password

I use iCloud Keychain, what’s your opinion on it Mental?

I have a manual / offline password management that uses an algorithm thats easy to remember on top of that combined and is kept in my wallet (and other locations, in a 3/2/1 backup style) and even if people get hold of the 'card' they cant decrypt because they dont have the memorised algorithm ... if *any* part of the system is compromised (any 1 of the 3 parts) it takes literally *minutes* to re-create a new 'system' and change all passwords and the old 'parts' are made useless.

I'm a web dev and my next project is a open source, web based password manager. It's probably not going to be amazing but It my data on my software on my hardware on my network.

I store all my passwords in a notebook, what do you think of this practice (no my passwords aren't dumb things like password123)

I dont know why I ever thought you a white man in his early 40s who has been in the IT space since 2005😀. Keep up the goood work, man. love the videos

Title reminds me of, "What color is your Bugatti?"

Self hosted Vaultwarden here :)

nice runescape skin luke

If you work with like Linux Mint, it will keep your Keepass up-to-date automatically via integrated package manager ;)

Keepass and Veracrypt FTW

I have been using a Kingston DataTraveler USB stick and KeePass portable for about 10 years.

i got a text file in a locked zip folder. like that I can also copy the list on USB sticks

The most secure is the simple ones, remember it or put it in a physical lock on a piece of paper

I haven't read the CVE thing, so I might be talking about a different thing. I think there's a scenario that it might be worse than just corrupting the DB: the attacker can change the master password and then copy the database file. This way, they can unlock the DB file later and gain access to your passwords. If they create a backup copy of the file beforehand and then restore it, one might not even be aware of this happening. A way to mitigate this would be to require the current master password when there's a request to change it, even if the DB is unlocked at that time.

Mental outlaw. I know you talked about other companies that seem to do a very good job protecting passwords that you have used. I just have a question about Kaspersky password protection? Has there been any leakages you know about or data sharing? Ik its a russian company but online I can't seem to find a genuine article talking about data breaches other that redditors going dumb and scaring others using "I have heard statements than facts" in password manager. Would love an insight or video on this topic, please 🙏

I find it interesting how no one mentions bitwarden. Is it bad or something?

Great vid. Curious about your opinion on passkeys

I started using buttercup after seeing an article about a new open source password manager. If it weren't for that article, I might have stuck with a plain-text file.

JT doing side quests

What chair is that?

I just wrote my own password manager, it is really quite simple to do if you understand using simple encryption libraries (just wait until those become vulnerabilities ). It stores all passwords in an encrypted file, which you unlock with a master password, and can also encrypt each entry a second time with a different password. You can also store other files, and just plain text in this encrypted database, and you can generate new totally random new passwords when you need to change (as you should regularly do). Really is quite useful.

yet to watch the video but my only password manager is a piece of paper that I keep hidden (and I do use 16 random character passwords). let's see if this changes my mind

Well, you could write down your passwords and store it in a safe deposit box as a backup.

Before i knew about password managers in early 2010s i used to write everything in a txt document and compact with password in a .rar file.

I self host passbolt, shit rocks

This video doesn't really talk about the other side: end user compatibility. A regular user does not know how IT Security works nor should they need to know. If we want those people to use password managers they need to be easy to use. This includes being able to securely sync them between devices without having to configure anything and without having to set up own server infrastructure. A keepass file on a Dropbox share is reasonably good. But it also needs to integrate with your browser (unsure if keepass supports this). And honestly, even a proprietary password manager is better than reusing the same password for every website, which a lot of people actually do.

My personal favorite password manager: The 5gb LUKS partition on my server

I am using a password manager with propitiatory cloud saves, to sync passwords between devices. But I am not storing any passwords there I cannot afford to lose.

I use next cloud passwords app, is that bad? Should I make it more secure somehow? I have 2FA 😁

"Old Man Yells at Cloud"