 Welcome to the homelab show, episode 76. We realized we hadn't been talking enough about passwords and password management. And, you know, this is a really important topic and it's still Cybersecurity Awareness Month. So this seems like a really relevant topic at the same time, right, Jay? Yeah, yeah, and I think I'm aware of it. So I think it's succeeded. But then again, given my job, I already was aware of it. But you should be aware of it too. Yeah, we want to show everyone's aware of cybersecurity and make sure you have enough cybersecurity training. The reality is if you work in tech, and I think most of the people here are in tech or tech adjacent with the homelabs. And so I think this is a solid topic though to talk about because, man, people are not always good at it and there's been a lot of debates. And sometimes I still run into people who are long time in the tech field that have strange opinions on this topic. So we're going to clear a few things up. I'll even address a video that Jay doesn't know about this, I don't think there's a video about extracting passwords from a password manager. I will be bringing it up and addressing it. Yeah, there's some interesting new things out there but we'll still talk about why that matters but it's still not a reason not to use a password manager. Before we dive into these details for all the password management, let's talk about Linode's sponsor of this show. So Linode's been a sponsor since the beginning and a great place to run all those different things that you don't want to run in your lab, run it in Linode's lab or put it on one of their public IP addresses. Great way to host the different projects that we talk about. We have a sign up and offer code down below so you can get signed up with Linode and we thank them for being the sponsor of the show. Yep, we appreciate it. All right, what was the first on the list? Cause we're going to get to a full blown web-based password manager but I think the first one we want to talk about is probably going to be, or do we want to go really basic? Like don't put them in spreadsheets. Well, yeah, I mean, I think that goes to how I was saying but I feel like we've all seen these in their memes at this point I think that this actually turned out to be a real product. Somebody somewhere had a photo of a notepad that was specifically made for passwords where you would just write them in. It would have like a pre-built areas for username password and it's just, it looked like one of those old Rolodex books or something like that. And at first I thought it was a joke but then I realized it actually existed but I don't think any of our listeners will make that mistake. I guess I could probably summarize all of that don't write them down on a piece of paper or sticky note. Don't put them in a unclear text anywhere. I think that goes without saying but just in case there's someone out there well, now you know not to do that. Yeah, and this is interesting. There's a weird bias on this. It's probably not the best idea to keep them on paper but to the same extent they're a little bit less hackable. You have to maintain your physical security. You also are at risk of losing them but it is, that was a common thing I want to say mid 2000s or so. I think that was not an uncommon thing for people to start doing it because this is the earlier days of where the general public not the technical community but the general public really started hammering out getting on the web with the birth of social media I should say. Because it's not like the internet wasn't used for online shopping and things like that before. And I bring this up because I was actually watching Better Call Saul and it was because of the era that part of it was in it was just kind of funny how they were going into people's houses and I'm not trying to spoil anything about it but they were looking for people's pastors and they would always just grab them off the monitor like they were just going physically into people's houses to grab their pastors so they could get into stuff. So I was like, that's like low tech, clever, burguerly hacking but what commonly era from when that show was set. So. And there is one situation in which I feel like writing passwords down on a piece of paper having it printed out in clear text is a good thing. And that's if you put it in the safe because that's not a bad idea. Your keys and whatnot, as long as it's in a safe and no one knows the combination but you it's not like someone's just gonna walk in your house and steal a piece of paper if it's in your safe. And I feel like that's very common for those emergency passwords if your two factor stops working you'll have a number of these pass codes or whatever but it probably doesn't hurt. And I did this at one time I don't do this anymore. I actually did print off the passwords and I did put them in a safe with a lock on it. So that could be an emergency situation where hopefully you'll never need to ever use it but if something happens and I have seen situations where people forget their password for their password manager and if it's encrypted well enough your song. I mean, if encryption is good, you know it's good if you can't access anything if you lose that encryption key but don't lose that key to our summer safe. Yeah. And I'll also mention, you know I have a video on Fido and I didn't do one yet maybe I'm gonna wait until kind of, you know see where it goes, things like pass keys. Some of the Fido stuff is awesome. Pass keys is awesome. The adoption right now in October of 2022 the recording list podcast is so low it's not a solution I can say is like just use this you know as much as I love it I love it where it works I just wish it worked in more places and even some of the places it does work and one of my aggravations is some of the places don't allow you to have multiple key slots. So you, you know, I recommend getting two Fido keys unless you're using service that, you know the Fido spec allows multiple key slots so you can register more than one key that way if you lose a key you can still have a backup key but that standard was not adhered to. So I have a couple of complaints I had with companies like I can only register one key and they're like, yeah, that's a we don't have a spot for two keys because we adopted and added the support not, not needed like so we never really thought about the multiple key problem. So we're gonna kind of keep the topic off of that. I have a video if you type in Fido on my channel Jay's also got, you have a Yubi key video am I correct? Yeah, I have a Fido key video. I have more than one including using Fido with SSH which also the challenge of using Fido with SSH is the server has to support it not just the client. So once again, you'll run into servers that don't support it they are using older versions of SSH or if you have to deal with some Microsoft things Microsoft chose to omit it from their compilation of SSH. I don't know why. So Fido is awesome. We have, we've covered these topics me and Jay have respectively, but for the most part we're gonna focus on password management. So do we wanna start with KeyPass XC? Yeah, I think KeyPass XC is a good one. And for the people in the homeland world I don't think it's a bad one. People wanna know why I'm not using it if I think it's insecure and it's a scalability problem. I manage a group of people. I manage employees as you have more and more people you realize in someone will say but Tom there's a way you can synchronize the KeyPass XC yeah it doesn't scale to having a lot of people. I've actually played with it. I have some neat integrations that allow and have some collision detection for managing passwords but it's hard to scale but from an individual user standpoint if you were looking for a good private secure popular has gone I don't know if it's ever been truly security audited but it's popular enough in the market that I think a lot of people have poked at it. I think it's not a bad choice and you can put a lot of information not just here because it's more than password management you need a little bit of your notes management maybe an API storage. So KeyPass actually has some fields where you can store some of that extra data that's equally important to things. Yeah I really like KeyPass XC. I actually use it pretty much every day but it's not my primary password manager though but it is something that I use. It was my primary for quite a while and what I would do is sync it with sync thing basically. So I didn't have to worry about which computer was I on at the time I saved this password because that's not really something you want to deal with. It synchronized throughout all of them and it worked really well that way but again I'm one person and I don't have employees so you're right. There's ways to make it scale but you have to engineer that part and I know a lot of us that are a lot of you guys listening are like we have to engineer something what's the harm in that? That actually sounds like a good thing that I have to project to work on and I totally get that. I later switched to Bitwarden which we'll talk about later but I still use KeyPass XC for my home lab because switch passwords and logins to devices and things like that. It's a great solution and I just keep using it for that so even though I don't use it for my personal passwords it's really useful for everything behind my firewall and I'm not knocking it at all. It could absolutely be someone's primary solution and it was for me for quite a while but just like you said there's you can scale it but it's just not like built the scale as well by default unless you run the edges yourself. Yeah and the responsibility is on you at that point as well to not only remember the master passer but also to keep all the backups. This is something that it's just you can't have just two copies even. I feel because it's so important and could lock yourself out of things have a couple extra copies have an offline copy of it make sure you have a good integration in that so that are a good process. That's just an integration a good process for making sure you're managing that data backing up that data and keeping it properly secured because I say this very emphatically because I just had another person reach out for consulting that thought I could just undelete their entire ZFS and I'm like no all those data sets are probably obliterated. They purged and deleted it and thought they could just undelete because they realized after they didn't want to and they had all their data and passwords and everything in it. But what I've learned in IT is that not all users are great at the same thing. Obviously everybody has their strengths and weaknesses but every user is good at destroying data. Like that's the one thing universally that every user is good at no matter how their experience is with computers. It's just anytime anyone ever asked me to get something back I think I had like a couple of occasions where it was easy but going back to keep SXC just one last time I wanted to kind of point the finger to feature that I like about it. And I'm not going to say that Bitwarden doesn't have this feature because when I say that I often find out that Bitwarden does have that feature because they have a lot of features and many of which I'm still discovering but the window matching feature of keep SXC is really cool. So for example, let's say you're not using a browser maybe you're just using an actual app that's outside of the browser dedicated standalone app and you look at the window title and you could actually match the window title to a password entry and have it auto-fill with a keyboard shortcut that app. So it doesn't have to be in your browser it's able to auto-fill pretty much everything. So imagine logging into Steam for example that's not in your browser you could do that with keep SXC. I don't know if you can still do that in the new version seven tested this is quite a while ago. And then the other thing it can do as well is you can enable browser access to be able to auto-fill passwords in your browser as well. Not everyone knows that keep SXC could do those things because at first it kind of looks like just an app to store passwords and nothing else but it has some extra features there I just want to make sure that people are aware of and those are some pretty useful features to be sure. And if you're like a single person managing everything again keep SXC might actually be your only solution and that might be fine. Yeah, I wish they would add that feature to bit more than the window focus part it's that would be kind of cool because they do have desktop apps and command line apps that you can interact with with Bitwarden but that little window focus feature is really nice. Maybe we should somebody should just put a wish list item in their version or bug tracker or whatever. Now that being said, I mean I don't know that they don't have it but I guess if you said that they don't then I guess that it probably means that they don't but I feel like- I was opening up the app over here so I could see if that was an option. I know it can't be it was like if I remember correctly a regex or a text string that you just put in a field that the window will have in the window board or the window title and that's how it works there. So if not, I hope they get it because that would be really cool if you could auto fill other apps not just things in your browser. There is a dedicated app as well with we'll get to Bitwarden I don't wanna spoil too much right now. Yeah. I don't know if there's any feature difference between one or the other but yeah. Yeah, that's an interesting one. Let's see, actually we should probably move right over to Bitwarden. Did you anything else to say about KeyPass? I don't, Bitwarden is one of those things that I just love. I was using before KeyPass XC, I was using LastPass. I don't have a whole lot to say about LastPass because it's been a while since I used it. I actually managed an enterprise LastPass account for a company and all the employees. So I feel like I'm very familiar with it but that was like two or three years ago. And eventually, I moved from that to KeyPass XC and then from that to Bitwarden because I personal, and this is a personal opinion. This is not a technical analysis at all just Jay's personal opinion. I really don't like the interface in LastPass. I don't really know why it just kind of, I don't know, I just don't feel like it's the best most streamlined user interface. And then Bitwarden has some issues with its interface as well. But I feel like it's easy to use, it works, it makes sense. And I really like it. I like it a lot. So Bitwarden is something that you can subscribe to. You can have an account on their system. You could even self-host it if you want to which I believe is what you're doing. I'm not doing that. And you don't have to pay for, pay for it to get all the features. They do have a few features that are paid in Bitwarden. There's a few, there are a few things that are an upsell on there. It's not a hundred percent, but a lot of them are more of the enterprise features I should say. Yeah, I guess that's what I meant to say. Yeah, because there's gonna be the majority of the features on the free one but I've been paying for it because I don't mind supporting a project and I've been paying for it for so long. I don't even know what's paid or what's not when it comes to features because it's been at least several years that I've had my paid account. And it's really cheap too. I don't remember what it was on the top of my head but it's actually very inexpensive. Yeah, the Bitwarden pricing is really good. And I'll mention, so I seen someone ask this question and this is where I land on this. People asking about Vault Warden. So because of the way Bitwarden is built and it is open source, but people have of course forked it. And if you can have something that's open source you're gonna be able to go, hey, let's create a version that's, doesn't have these restrictions in there that I have to pay for and I wanna add all these extra functionality. Well, in my understanding is this is one of the things that Vault Warden does. Also it's written a little bit differently. So it's open source, it's written a little differently. It's not complete, it's based on the same code but it has some different ways it's integrated which also worries me a little bit about Vault Warden. So when it comes to password security one of the things Bitwarden has done is really set the bar high. I've used Bitwarden as an example to a lot of other vendors in the enterprise IT and the managed service provider spaces. If you guys wanna be transparent about your security look at the way Bitwarden does it. They don't just go through their regular security audits. They're very transparent parent in how they publish the findings of their security audits. And I think that's an important thing because just because we can't see in the code doesn't mean anyone's ever looked at the code. That is the myth of open source that because you can see the code someone has looked at the code. I'm sorry those things are not, those don't always work that way. But in the case of Bitwarden they have paid very good engineering companies different ones that way you're not getting the same opinion from the same people. They've had different engineering security testing companies really go through their code find problems and they've pushed out fixes for them or find edge cases really poke away at it. So because they spent a lot of time on that I trust that their code is secure and they are absolutely forthcoming and dumping every year when they go through their audits of how things are done making sure they're following secure code practices. The moment someone forks your code and starts doing their own thing did someone audit the forked code is the question because it's not like you can't fork a project and it's secure at the moment you forked it it becomes up in the air depending on what changes were made. I've never taken the time and I don't know who has to look at Vaultwarden and say hey did they do things in a really secure manner when they did all of that? Because when you look at the fact that it's like well it comes out to be $333 a month I know you gotta pay it annually so multiply that times 12 but either way when you look at the pricing being so low my security is worth more than the 36 that's coming out like 36 or 37 let's just say 40 bucks a year in the US $40 a US to have a solid back end security I feel comfortable with that that's an amount of money that is less than most of the streaming services that entertain me this takes time to secure me so to me it's worth it that's how I feel about that from a basic standpoint. Yeah I really do agree with that and you know Bitwarden is basically what I wished LastPass was in my opinion with the interface being better but there's a browser plugin and I remember LastPass slowing down my browsers quite a bit and this one doesn't seem to do that now to be fair I don't know if LastPass even still has that problem they could have for all I know completely fixed that but going back to your point about open source though I think the Vivaldi web browser is a very good example of this because it's actually one of my favorite web browsers and I would probably consider switching to it full time because it has like some amazing features and they've done such a great job with it but it's not fully open source but when they're pressured on this not being fully open sourced they'll come back with well the browsing engine is fully open sourced and like well that's fine but your UI is not and you've added some things and there could be a vulnerability chain unless you are keeping up on that and if you're not well how do I know I could use a browser which is why I recommend that no one use Vivaldi but at the same time I hate saying that because it's such an amazing browser but here you go with the same thing you have an open source project that's been forked and turned into Vivaldi with their own secret sauce and sometimes a secret sauce is what does you end at the end of the day? Yeah so I'm pointed out and I think I remember reading this before as I've never used Vaultwarden it's not a fork it's a new implementation written in Rust so I don't know now I have not really more questions but they made a back end that's compatible with the Vaultwarden front end so that becomes interesting and one thing I'll make note of when it comes to browser plugins one of the rules for writing browser plugins is the code can't be obfuscated so whether it's last pass, one pass or whatever other pass for the manager the browser plugins are actually gonna never be a fully closed source if anyone's ever wondering about that that's actually, I didn't realize that's actually a requirement is you can't do code obfuscation that's how they monitor what plugins go on browsers this is true for both Mozilla and for Chrome extensions the code can't be, you can't just have binary blobs which I think is actually really smart because that's how you know if something changed this is what allows the browser places to understand what's happening and it doesn't mean there isn't a bad browser plugin that doesn't come in and do something bad but they're able to reverse engineer it and figure out what bad thing it was doing Absolutely and someone in our chat mentioned that they wouldn't trust any third party to host their passwords and I can understand that mindset completely I don't really think it's a bad mindset but at the same time if it's encrypted before it leaves there's never reason assuming that the encryption is good if it's a weak expired or outdated deprecated encryption then that's equally terrible but assuming it's a really good and strong cipher then I honestly feel like there's no reason and correct me if I'm wrong to doubt a third party they're just receiving like gobbledygook basically encrypted text they don't know what it is and they can't know what it is they can't reverse engineer it so as long as it's being encrypted properly I can't really see a reason why that would be a problem Yeah and the way the password managers work all the well-written ones this is gonna be a last pass Bitwarden and a number of other ones that are out there they never know and I have a video called what your password manager what is sent to your password manager or what your password manager knows about you I can't remember exactly what I titled it easy to find if you type in password, password manager I go through step by step and showing how the encrypted blob is handed over and then from there your master password that decrypts it all that's happening browser side it's not actually sending your master password back over the wire out to the system to bring it back that's a very important distinction for how all proper password I can't say all password managers come sure someone wrote a dumb one out there that doesn't do that but the popular ones that I'm aware of I know specifically last pass and Bitwarden definitely do that and I'm sure there are others which is an important distinction now I think some people have the concern like hey now they're handling my passwords and I feel like I'm not in control of it not from any security standpoint but what if something happens Bitwarden I don't know they decide they don't want to do this no more or any password company where they have a major outage and someone's network somewhere then you can't get to your passwords when there's an outage and this is true for more than just Bitwarden but I'll mention Bitwarden because we're on that topic and me and Jay both use it the desktop app and the browser plugin both cache each time they're synchronized so if the server is offline it will still have the passwords available to you at their last sync the only thing you can't do is add new ones because it'll give you an error because it can't synchronize that new information somewhere so it does not have any offline synchronization capabilities like I'll write this password now and sync it later but what it can do is read all of them or give you last known passwords you also have the ability to import and export vaults so if you want to move between password managers Bitwarden has both import and export options so you can also just do your own backups as well and it does offer encryption of those backups so you can back up your Bitwarden you can encrypt it and keep that somewhere so you have your own copy I do self host it there are some prerequisites though now I like self hosting it self hosting is great it's just cool thing except not everyone is capable of self hosting or doing these prerequisites which is gonna be have a working mail system so you have to be able to send emails from it it relies on that for certain aspects of it you also have to have an SSL cert now it does have the ability to I believe it's got let's encrypt built in I'm using a proxy in front of it which works perfectly fine specifically I'm using HA proxy like self hosting it because it's one extra layer but it also creates some complexities that I've considered moving it back to their system because one of the complexities is the fact that if you want to use Bitwarden send and you don't have it publicly accessible you're not able to use some of the cool features they've added to it and I trust them pretty well to where I feel like it's not a big deal so I may at some point move it back to the cloud because then I get some integrations that I don't have but overall even if you don't self host it it's still a very solid and secure system I think my only complaint I know this is a very petty complaint and it's probably not even Bitwarden's fault I bet you this is the browser's fault in this case but if I'm editing in the browser you just click on the Bitwarden icon I don't know you want to change your password in there or something or edit some fields if you ever click off of it you will lose all your changes every single time and I wish that when you clicked on that icon the window would stay open because if I change focus to another window for example as soon as that change focus it goes away and I feel like that's the most annoying egregious thing and it doesn't sound that bad it's all in itself I agree with you completely yeah it is because when you start editing especially when you're going in the notes and you have like TOTP codes or whatever it is you want to securely save there and you have a number of these especially if you have a browser window open and you're using the desktop or not the desktop app you have another browser window open and that one gives you some information so you want to copy that information and then paste it in there it's just going to go away as soon as you change the window but that's not really that I mean you can work around that the other thing I have a love hate relationship with this I love the fact that it has time-based one-time passwords built right into Bitwarden so you could literally log into a website to ask for your time-based code and then paste because it's Bitwarden can handle that for you but I'm not really sure that I want Bitwarden to be handling everything because if someone did get a hold of my passphrase they would also have my time-based one-time password codes as well and I don't think I really like that but I do I can see that it is very convenient to just be able to auto-fill a password paste, hit enter and then you're in so I suppose with your less important websites maybe I don't know a forum account or something might be acceptable but I'm not really sure I would go as far as to put your banking one-time password in there or anything like that it's not that Bitwarden is doing it wrong it's just that if your password leaks then they have the keys to everything and having some of that segregated might actually be better so one of the things I do and to avoid the little closing window problem is one you can pop Bitwarden out into its own little window so that's how I solve the notes problem I do it all the time because I constantly am using those notes so yeah, if you click on it there's an option to it's the little it's top left it says pop up how did I not notice that all of this time it is right there the solution I was complaining up a storm and the solution was probably one-twentieth of the time it took me to complain Oh, well, no, no, trust me I've definitely done it because I'll start typing something and realize I want to copy a piece of data and I know I've lost the other piece I typed so trust me, there's a reason I took me a long time before I found it but the second part I really like that you can keep the TOTP in there which TOTP do I keep in there though because I do keep some and I'll admit to that but it's exactly what you said I have all these different forums I belong to and with the exception of my forums I'm not the main forum administrator my forums I do not keep my TOTP in there but for all the other forums I'm signed up for which are everything from PF sense forums and everything else I always save my TOTP in there because one, it's low risk if someone wanted to impersonate me in forums I don't know why they would do that they could make me look bad or whatever but it seems unlikely that my here's the thing if my bit warden were compromised do you know my top concern would not be Oh, no, will someone impersonate me in the PF sense forums well, throw it out there that is a concern but it is on the very bottom of all concerns if someone got into my bit warden so the only exception is in my mind is why this might even be important for some is if there's metadata even in a forum account like your address or something it is possible for someone to use that to do a forgot password or an account authentication thing or call customer service please verify your address but then again, I mean you just have to be careful and mindful what fields you fill out and which accounts I mean, obviously if it has payment information in there no but just to think about the information I'll think very many forums that I remember will ask for address so that's probably not an issue like you mentioned but just throwing that out there to make people aware of it Yeah, so it's in the other problem if I were to use my TOTP app to store all of those man, I would I have enough in there now so I imagine for every forum having another you know, I have to go to my phone for the app this is actually one of the reasons I don't use Bitwarden on my phone because it seems like somewhat of a violation so to speak in my head of trust boundaries because if I have Bitwarden on my phone now my phone which has rolling 2FA codes on it also has my passwords on it and they're in one place on one device and that that bothers me so I've always kept those you know kind of separate on there now just and this is not something that's available if you're an iPhone user but I'll throw this out there if you're an Android user or you use the fdroid Aegis AEGIS Authenticator is a free, secure and open source app to manage your 2FA codes I really like Aegis it's because it's open source because it's open how they do things I think it's a really cool app for managing your 2FA there's always going to be someone out there that was I like Authy and I don't think there's any problem with Authy I just don't use it but I know Authy is good for if you synchronizing between accounts and things like that I worry about something that can synchronize between accounts it's just the you can call me a little bit tinfoil hat on that topic but you know Aegis does not have that option Aegis does have backup and export options Aegis has a feature I really like though if I save a 2FA I can actually get the 2FA back out of it I can actually get the code from the 2FA back out if I need to right that's a good feature to have as well yeah Authy has a few quirks of its own but it's not I mean it's it's fine well things with Aegis is I can reproduce the QR code I hit make QR code and you can point my phone if we wanted to I in Ali I have to do this I wish I didn't there's certain accounts that don't have multiple users for our business that we use so me and my staff want to have the same 2FA code because we're using a common username and password and instead of sticking in a bit or then sharing it we actually will share it through Aegis by pointing our phones at each other well I mean you have to navigate these things right because I feel like that's one of the biggest issues when it comes to security is that obviously not every app or company is going to make the right decisions I mean it could be like a company has like the best security that you know we know of in their app and they're doing all the right things and but they also allow SMS 2FA or worse only support 2FA via SMS which just really annoys me or you know also when you have a I forgot my authenticator button that lets you just oh you don't have it that's fine we'll just verify your account and you'll we'll let you in anyway so I feel like some companies kind of do all this wrong but that's a whole other episode all together I feel like as long as we keep in mind what each apps capabilities are we you know navigate around those as securely as we can then I think we've done our best right in one other feature that's kind of neat for bitwarden I'll throw it out there this goes outside the home lab but for worth noting as someone who's a reseller of bitwarden when you have to manage your clients passwords one of the things it does is as we sign clients up it creates a shared vault between me and the client so that's how we're moving towards client password management too there's actually a really cool feature in bitwarden I sign up client I have a shared vault I can put the passwords there and then assign them to the users and they belong to the vault not to the user that way if a user changes or moves that shared feature is actually pretty cool in bitwarden for helping you know you're actually upping the level of security for your clients and if your client changes passwords you get to see that you can have access to that common shared vault between them to help manage those and as an IT search writer I imagine at least a few of the people here work in the same industry as me so yeah I'll still have a feature out there is being pretty cool I may do a completely separate video on my channel about it because we've just been fascinated by like how slick it works so yeah I feel like that'll solve a I know it's not a home lab issue like you said but an enterprise I feel like one of my bigger pet peeves is when we get a contract for supporting a company then they just send us their admin passwords clear text by the worst one is when they send their certificate files for their SSL cert unencrypted in the clear and then I have to be the one to tell them that they need to deploy a new certificate company wide because they just invalidated it you know because it's a real problem you know people don't understand if they're not us like in our industry they don't understand the security is kind of lacking there so you know it's just one of those things we deal with but as long as we have a means and home lab I mean there could be something I mean if you're on vacation and someone wants to help you fix something because you know I don't know how many people have friends that help them with home lab because you know that is a thing might just be a way to say hey could you log into this thing and update my packages for me and if you trust that person obviously I wouldn't give them you know credentials to your bank account or anything but if it's just running updates and I mean that could be OK if you trust them again if you trust them I'm going to keep saying that but I don't yeah I think you're right it's not going to be as useful for home lab but I'm sure there's going to be several out there that are already thinking of the use case for that yeah we mentioned the two of them we like but there's plenty of other good ones out there but I don't have the time to check them on because I'd seen someone mentioned I think it's called like password Bolt B-O-L-T B-O-L-T they're another one that I believe open source I think I may be saying the name right but I simply because I get a lot of requests Tom can you tell me about this one I don't have time to test them all I've tested Bitward and used it for like three years now so and Jay uses it and it's because we know the product for you well it doesn't mean the other products are bad just because me and Jay don't like them it just means there's only so many hours in a day and only so many projects that can take on and testing every new password manager that's open source is low on my list of things I have time to do because like Bitward has been there a while doing it I don't see anything wrong with the way they do it there's not any killer feature I've seen in the other ones that make me go oh man if Bitward and had this I'd stay with them I'm gonna jump ship and go over here they basically seem to have feature parity to some extent with Bitward but if making the same product again doesn't make me change to it you have to make the same product and then give me that extra reason to switch so I'll just figure I'll answer those questions for the why not my favorite password manager questions that come up yeah I mean I feel the same way about open sense I'm sure it's totally amazing and just awesome but mine works and translating all those rules I mean that's a whole weekend and I have other things to do during the weekend so nothing against the ones we don't cover it's just you know that thing about being human and eating sleep always kind of gets in the way yep yeah yeah I mean it's just it takes a lot because when I say I've tested something I mean I put the time in we have nine employees so I have nine people using Bitwarden then we have clients we've resold this to that are you know many more than nine people using it so we've used this thing a lot so we have a good familiarity with it so I can tell you you know what we like but we don't like type things like a little pop out window problem but you know I haven't run into any gotchas or you shouldn't use it that would make me even want to look at them so that's my thoughts on there as I see people asking about other ones I just haven't had time to test them I'm sure there's a lot of great ones out there and they may be like you may like the UI better and if there's no security issues with it go ahead and use it now let's talk about security or do you have anything more to add about Bitwarden I don't think so all right so this is a a topic because they seen someone ask about the last pass hack I think last pass did a good job of being transparent I also think the part of the problem is they were so they were transparent to a fault having someone get in your systems but then able to do something that was a user facing event falls on the edge of what you should well I mean I like I see you should report it but that level of transparency created confusion I did a video on this topic it did not mean that the place was compromised but of course it was easy and I when I did that video talking about the last fresh breach you know I use my wife as an example who doesn't work in tech and yeah it just gives you that idea that oh you know it's hard to communicate to the general public about this and then even the technical community seem to get a lot of it wrong thinking there was a bigger hack than there was with last pass that being set last pass has not had any major things that making me think that they're an insecure company they seem to be transparent almost to a fault but then again that's where we're trying to go with security it shouldn't be an anomaly that companies are that level of transparent then the question is though once you centralize all your passwords where's that security risk and there is some risk that comes as having your password centralized but there's a lot of benefits first thing having them in a browser there's a good and bad the good thing about having them in the browsers because that's mostly what you're logging into to it will help dramatically with your sites and validating them because if you try to get to a phishing site and you have to manually type in your credentials because your password manager has decided not to fill them in there's a really big positive on the side of security because anytime I don't have an auto fill I have questions why isn't it auto filling did the URL change did they change how they log in and this actually happened my bank changed their back end I knew they were doing updates but when they changed your back end for the logins my login quit working because it checked the full URL and it would only login to the full URL so when they moved it it gave me pause and it made me actually reach out because it was my business banking so I reached out to my business banker and said did you guys make changes to your back end and they said yes we did I said okay is this the changes you made this is the new URL login they said yes it is I said okay cool I it gave me a reason to investigate and ask questions so I like that about having all the passwords in the browser it does an extra level of awareness to make me ask more questions when it doesn't fill in the downside is and this is the video I mentioned at the very beginning someone pointed out there is a new and I believe this trusted security to this there's a new C2 system for cobalt strike that has cobalt strike is a red team tool quasi red team tools also used by lots of threat actors once they compromise your system what's next what do you do when you get control of someone's system well you would like to run some applications to pull things out of memory what is the thing you're going to target well let's target the browser now browsers do a lot of obfuscation to make it a little bit harder to pull things out but I have a video I recently did about storing passwords and someone says passwords in memory should be encrypted and that person didn't understand how things work because there comes a point where everything has to be in memory to operate in kind of a even though it's compartmentalized at some point things are in memory and if you know and this is what the goal of this extra tooling was was to get into the system target last pass look for them with the ability to extract some of the things that are extracted in memory from their last pass which is going to be some of the passwords that are in there so when you open the vault and it's decrypting the vault well now you've got that piece of information my kind of argument to a lot of this when people freak out is you could just have easily have a key log around there once you have a system level control of someone's system you can key log and get their master password because it they showed some of the challenges of what it was taking which is only about 40 seconds on that computer they didn't really see how fast the computer was but each hunt through the memory had a time delay pause of figuring out where those passwords were in memory it's not like they're just mapped right here here's last pass the last pass is a clear pointer for this also the way browsers especially with all the reframing of memory they're always kind of keep things very compartmentalized to make it a little harder for different things to find things randomly in memory so it's kind of a cat and mouse game on there but that being said it's still in my opinion better even though you're centralizing them it's better to have them in there the other thing of having them in the browser is you're chasing through a lot of sub processes of the browser versus if you do who's a desktop application and this was the video I did recently talking about Microsoft and using Electron for their teams app that gave a place for people to steal the tokens because they weren't doing any encryption with the Electron app but technically if you have access to the machine if you steal someone's browser token and session cookies which they're making them harder to steal but once you get those out you also have the same level of things it comes down to you have to really monitor who's on your system because once they're on your system at a high permission level whether it is a key logger they have a tool that can extract things from memory or watch them you have a lot of scary things that can be happening on there that you know these are where the fundamental problems are and by the way I mean they do happen but they're you really got to focus on endpoint security and really be thinking heavily about that not just the browser password because at some point whether it's a desktop app whether you're like oh cool ball strikes looking for last pass I should use another password manager I'm like no no no they just haven't wrote another one for the less common password managers they've wrote some tooling to make it easier to extract last pass because it's hands down one of the most popular ones out there but the problem still persists across all of these so that's the way you want to think about security is keep people off your endpoints Yeah, I mean that basically is what it comes down to I mean sometimes you know when things happen it's a legitimate problem and you know shame on the company for doing that but I also kind of feel like there's some like you were saying some misunderstandings about how these these things work I mean what's next we have someone saying hey someone broke into my password database dude your password is A, B, C, 1, 2, 3 I don't care they got into my password database you know at what point does someone start saying that I mean we have to have a reasonable level of understanding of what's required here we we need a strong password we need to check the boxes and like I said keep people off our system because if we're letting everybody in it's only a matter of time Yeah, yeah once someone gets any system level of privilege is that's when everything goes haywire and that's always the goal of the threat actors how however you know privilege level can I get out of the system and having triggers for knowing that on there matter of fact I want to explore this little more that's what topics we're still on security topic of what do threat actors do when they're first time in your system and this is where thinks canary her and me are in he I've interviewed before my channel he's a pretty pretty fun person but they do these free canary tokens and I've done a video on free if you type in free canary tokens I break down all the canary tokens that were available at the time of the video but they've added another token one of those tokens is when people run common commands and threat actors do this all the time such as who am I because the first thing you do I get I got to a system mystery system they click the link I I I'm in but where am I in at so the first thing you type is who am I but Jay how often do you ever run who am I you always know who you are right yeah I try to know who I am but I do run it from time to time I'm not really sure why but I catch myself doing that sometimes yeah one of things you can do and this was one of the clever ones is you can create a trigger is was specifically for windows not Linux just probably a different way to do it in Linux but a clever ways to do it was to create a special trigger for anytime who am I is run to send a notification to you because unless you're the one running it that's a question and that's the first thing a lot of threat actors do so there's all these little things you can do to help level up your endpoint security and you know even if it's triggering I mean they're in so have your panic attack one that runs and you didn't run it but at least now you're aware of it because they usually you know even running these different tools against your system take time they don't necessarily happen always automated or instant and threat actors frequently sit for a little while to see what kind of intelligence they can gather so this one those little tips I want to throw out they're kind of related to security and thinking about your end points it's one things I want to play with on there leave your comments down below if you have a few other suggestions kind of around that because these are these are some fun little topics on there locking out or knowing what commands are run or even and I've known some in the long time in the Linux world people have done this swapped out commands they don't use for something else so they so it triggers instead yeah there's always some fun it's always something comes to security yeah always something fun like that but hopefully this isn't an enlightening topic for everyone I'll leave a little bit better understanding and a couple of products you may want to look at like I said we no resellers by the way we're we're just liking Bitwarden this is not sponsored or brought to you by Bitwarden we're just too happy Bitwarden users in like several years we probably should have been we probably should reach out to them we've been using them forever but I've never had a conversation with them so sure they're nice though yep so don't reuse your passwords use a password manager use your password master password should be or master pass phrase we'll get that out there because I will complain Tom don't say master password say master pass phrase so it's even longer it's a collection of words and and done an obscure way yes whatever methodology hopefully you can remember because that's an important one yes I do have my own complexities and ways I do it that I will not reveal because I do it my way if you all kind of do it our way that's why we have a home lab right yeah so you have a home lab so so hopefully that's answer all the questions we love hearing from you so please reach out to us Oh what was the email address we set up we announced it last time and I didn't yeah it was 2022 was the end part of it if I remember correctly wasn't it like feedback 2022 or something like that I don't know that show yeah feedback 2022 at the home lab that show and if we're wrong we're going to make that alias like within the next five but no I'm pretty sure that's what it is so yeah yeah all right well thank you and look forward to hearing from you guys next week me and Jay have a couple ideas one of them one of them didn't pan out so far so we're actually glad we made this the password show because well next week is all things open I don't really think I'll be all that's right next one but perhaps the one after that most one after that so and I'll actually I have to figure that one out because I'm going to be in Florida so yeah we'll be back soon we'll be back soon we will let you know keep an eye on Twitter for us and thanks everyone join and talk to you next time appreciate it