Ein Vergleich von PASSWORTMANAGERN: Das essentiellste Tool für IT Sicherheit

00:00

Where was the stupid thing?

00:04

I got it!

00:06

User name Morpheus, password 12345

00:11

I could have gotten to that, I use that everywhere anyway

00:15

Ouch!

00:16

Where did that come from?

00:18

Lost!

00:20

You've probably been in a situation like this before, where you wanted to sign up for a new website, right?

00:32

The first time, registering and stuff.

00:34

Normally you should use a pretty strong and long password for this.

00:39

But I think none of you feel like remembering 128 random characters in your head by heart.

00:47

Even at 40 it gets difficult and the problem is, they can only be created by a random generator.

00:54

Because we humans are really bad at creating random.

00:58

But the great thing is, there is software that anyone can use, that creates exactly such secure passwords and that remembers them without you having to remember anything.

01:07

This allows you to log in without typing anything, no matter how long the password is.

01:13

That's why I sat down and made a little comparison of different password managers, the ones that are used the most.

01:20

Especially since this was also wanted in the community several times.

01:24

In my opinion, we should bring a little more clarity into this world of password managers and not struggle so much with it.

01:31

Password managers or password management programs are programs or browser extensions with which a computer can store, manage and use user data, passwords or secret codes.

01:45

This type of program should be platform-accessible.

01:48

So that means on PC, laptop, smartphone and so on, work without problems.

01:53

Password managers have developed because we humans just don't want to remember long, complex passwords, or rather should.

02:01

The rule of thumb is, if you can remember your password, it's bad.

02:05

Sure, you can learn it by heart, but I mean remember, remember.

02:09

A password manager can be imagined by the old school of you as a phone book.

02:13

These are such thick books with an infinite number of pages that contain phone numbers, addresses and names.

02:22

In principle, a kind of database without WiFi.

02:27

Password managers are based on the same principle.

02:31

If I get to know a new person or sign up for a new website,

02:36

then the URL, username and password you specify, and possibly also date and other information in a database will be saved.

02:44

The difference to a phone book is that you can't just open the password manager and have to look it up,

02:51

but that all data within the database is hopefully encrypted securely with a main password.

02:57

If you want to sign up on YouTube now, then you'll notice that it's a good password manager and ask you to enter the master key.

03:04

That's this main password.

03:06

If that's the case, the password management automatically fills in the username and password in the form to sign up.

03:13

Congratulations, you're now logged in and can click on the subscribe button under this video.

03:18

As another function, some password managers offer you a securely generated password on a new page when you sign up,

03:26

which is then saved directly.

03:28

So it's like a password generator with a built-in database.

03:32

Whether this happens via a cloud or locally depends on the password manager.

03:38

Of course, the passwords are best not saved in plain text in the password manager, but encrypted.

03:45

This is called Zero-Knowledge-Encryption and is explained in detail in the White Paper by Bitwarden.

03:51

They use the mail and the master password, hash the whole thing and encrypt it with AES-256.

03:57

With that, and this part comes from me again, someone who sees the encrypted password can't know if your password is 12345 or Peter Enis.

04:07

So it really doesn't work because every issue is valid and you don't know if something is correct or not.

04:14

The fair and decryption happens before the data is saved.

04:19

This means that the manufacturers don't know what your passwords are.

04:22

They're not even in any logs.

04:24

There are services that save the password, but of course they're no longer Zero-Knowledge.

04:30

They could basically find out the password, not just find it out, but even have it.

04:35

To add one more thing, you should of course not only register with username and password,

04:40

but also follow maximum standards, especially for the password manager.

04:44

The password manager is your Achilles heel.

04:47

Accordingly, we use at least two-factor authentication here, not with e-mail, not with SMS, but with app.

04:54

It would be even better with a multi-factor with security key if you have one.

04:58

In that case, I would recommend you to have one.

05:02

To take a closer look at this, I have collected criteria that I consider to be decisive.

05:08

Of course, the price is a bit of a deterrent.

05:11

Then supported operating systems and browsers, import options and synchronization between devices,

05:17

2FA and MFA support, automatic password reception, user-friendly and whether the passwords are saved server-side, i.e. in the cloud.

05:26

We compare Dashlane, Bitwarden, 1Password, Google, Apple and KeyPass, respectively their successors.

05:33

These are probably the most used password managers and yes, there are probably many more good password managers,

05:40

but I think we have a great range that you can use for other managers, if you look at another one, for example.

05:47

If you are still missing anyone, just turn on this diagram and write in the comments what you think of the respective password manager.

05:55

Okay, all password managers except 1Password can be used for free.

06:01

So let's start with 1Password.

06:03

For $ 3 a month you get full operating system support there, i.e. all operating systems, Linux, MacOS, iOS, Windows and even nominally called Chrome OS, by the way.

06:14

All of them are supported by 1Password.

06:16

You also have full browser support, i.e. there is something everywhere.

06:20

Previously entered access data is automatically imported to 1Password, but that is actually standard.

06:26

2FA and security key support are available and the passwords are safely stored.

06:33

In general, there is also an alarm, i.e. if there is a new leak, but I wouldn't necessarily rely on that either.

06:40

But it can't hurt.

06:43

The only downside is that it's not free.

06:47

Bitwarden and Dashlane offer a free and a mandatory version.

06:52

Bitwarden offers you a free version with the so-called basic functions and the option to safely control your private data from anywhere.

07:01

The basic functions include Solia, Zero Knowledge, encryption and 2FA support.

07:07

However, security keys are only supported if you have at least $ 10 left over annually.

07:13

So not in the basic functions, but in the premium functions.

07:17

$ 10, however, annually.

07:19

Yes, annually. I think that's okay.

07:22

You can also register unlimited devices and thus synchronize your passwords in Bitwarden between mobile and desktop, etc.

07:30

You also have unlimited device types.

07:34

You get Bitwarden in the browser, on your mobile devices and in a desktop app.

07:39

You can store notes, credit cards and identities as well as a secure password generator.

07:45

The export of your data is encrypted and that your data is stored in the cloud costs you nothing extra.

07:51

Bitwarden also offers encrypted messages in the basic equipment, but only from files.

07:59

That means you can also just use a messenger.

08:02

If you have the premium version, you also get your own Bitwarden Authenticator and a personal emergency access in the event of an attack by a New World Magician.

08:13

The Bitwarden Authenticator generates six-digit time-based passwords with J1 and rotates them every 30 seconds.

08:21

So it's basically a classic 2FA app.

08:24

So nothing special, everyone else can use it, too.

08:27

They all cost nothing.

08:29

However, the following is special about Bitwarden.

08:32

Bitwarden is open source and also the program code for the server.

08:37

This means that the code is accessible to everyone, which has the advantage that you can check it yourself and be sure that the data is safe and trustworthy.

08:50

Because at least if you are fluent in the language in which the program is written, which in this case is C Sharp,

08:56

then you can understand the processes within the program and understand what happens to your own data.

09:04

Because the programs are open source, the copyright owner gives the users the right to change the program for any purpose, study and distribute it.

09:15

So, and that is very exciting for the server operators among you, you can even host Bitwarden yourself.

09:22

That means installing your own Bitwarden service on your server, where you can then write your own password.

09:29

That's incredibly cool.

09:32

Of course, you are also responsible for it yourself if the thing breaks.

09:36

With a free Dashlane account, functions such as 2FA and a password manager are also included as standard.

09:43

For a little more money you get a VPN, synchronization of your passwords between multiple devices and an automatic password changer.

09:54

The password changer allows you to change the passwords of many websites with just one click instead of having to change them manually.

10:02

This is currently available on Windows and Mac and only in the United States, Great Britain and France.

10:09

So it doesn't bring you much.

10:11

Where we are at the moment, you only have to change passwords if you have become part of a league.

10:17

Then you should change the affected password everywhere where you used it.

10:23

The purpose of a password manager is to use other passwords everywhere.

10:28

Accordingly, you have to change exactly one account in a league.

10:32

The technique that you change your password every six months is already outdated and actually cheesy.

10:37

Therefore, this function is also rather wasted time or only cool if you have just switched to Dashlane.

10:44

In addition, you get the feature Dark Web Surveillance.

10:49

To carry out this surveillance, Dashlane runs more than 12 billion datasets that are linked to hacks and data protection violations in the database.

10:58

They write that about a million new datasets are added every day.

11:03

Unfortunately, I can confirm that.

11:05

All of these datasets are stored on Dashlane's own servers, which means that these scans run completely internally and no data is transmitted to third parties.

11:16

For the provisioning of the dark web data, Dashlane works with the company SpyCloud.

11:21

SpyCloud is a leading online information company in this area.

11:26

In plain language, Dashlane tells you when passwords have been stolen.

11:31

That's nice, but you can also have free and open source by Have I Been Pawned.

11:36

Therefore, this function is not that useful either.

11:40

The actually important features are the following.

11:43

You can save an infinite number of passwords, but only if you pay at least € 3.99 per month.

11:50

In the free version, you are limited to 50 passwords.

11:54

Another reason why you definitely need the paid version is that Dashlane limits you to one device.

12:02

That means no synchronization of your passwords between PC and mobile phone.

12:06

So you would have to type in the passwords from hand in your mobile phone or PC, always the other one.

12:14

And you don't need a cloud-based password manager for that anymore.

12:18

For € 4, you can access an infinite number of devices.

12:22

Passwords are stored in the USA, but according to the Zero-Knowledge principle.

12:27

That means, again, not even Dashlane can access your passwords.

12:31

Unfortunately, Dashlane also lacks a Linux support and Brave and Firefox are not officially supported as a browser.

12:39

All other four managers, i.e. KeePass, KeePass XC, Google Password Manager and Apple's built-in password manager, are completely free of charge.

12:49

You can't pay anything for it.

12:51

The password manager with the most functions and features and one that is also free is the one from Google.

12:57

This one is also cloud-based and stores your passwords on Google's servers.

13:01

Since Google's password manager is a browser extension, or rather the browser itself, and works everywhere where you are logged in with your Google account,

13:10

you don't have to install any additional applications.

13:13

However, only if it's Android and the Chrome browser.

13:17

The Google password manager is of course very intuitive to use.

13:21

It offers synchronization between devices, i.e. your mobile phone and your browser on your PC,

13:27

and other browsers and devices, or rather desktop apps, are not quite as supported, unfortunately.

13:33

2FA and YubiKey support are of course given logically, because you use the thing with your Google account and that's what it can do.

13:41

Warnings about compromised passwords are also available.

13:45

However, there is no master password of its own, which means your Google login is also necessary for your passwords.

13:53

There is no information about how to protect your passwords, at least I couldn't find any.

13:59

Google is probably the Fort Knox out there, but if Google didn't have access to the passwords at all, I'd almost prefer that.

14:07

Apple users also have the choice now. Either they use another password manager or the Apple's own.

14:14

It is also again widely available, if it is an Apple product.

14:19

It synchronizes all access data via the iCloud with your mobile devices.

14:24

But only if it's really certain apps and your potentially 70,000 euro desktop computers.

14:31

Apple has been struggling for a while now to make the iCloud compatible with Windows and Linux.

14:37

So you could almost think that the iCloud password bundle will soon be compatible with Windows and Linux.

14:43

But only maybe.

14:44

Apple also offers you the same protection as your normal Apple account.

14:49

Sorry, Sherlock had to get out of here from time to time.

14:52

That means, of course, security key support and normal 2FA.

14:58

For many it is essential that a password manager saves the passwords in the cloud and synchronizes between all devices.

15:05

This improves the workflow and if you change devices often, you don't have to worry about the database being up to date on each device.

15:13

Everyone can do that, except the last two candidates, KeePass and KeePassXC.

15:20

With them you have to do it all by hand.

15:23

In other words, save a new password on each device every time.

15:27

In the end, like with Dashlane with a free account.

15:30

This is because KeePass or KeePassXC does not want your passwords in the cloud, i.e. on another computer, to be on your own.

15:39

So not at all like with Dashlane.

15:41

They are there on the server.

15:43

This concern is actually justified, because a password manager then represents the most attractive attack point if you have one.

15:51

If you crack it, you have access to every account.

15:55

Unless of course you have 2FA, which you should definitely have.

15:58

If the password manager, however, uses a encrypted database according to the Zero-Knowledge principle, as Bitwarden does, then this concern is quite unreasonable.

16:08

KeePassXC is still quite useful, especially for some passwords that you may only need on one system.

16:16

It encrypts your passwords locally, also with a secure algorithm and works on Windows, MacOS and Linux.

16:24

So now here's the trick to copy the database yourself.

16:29

Or, and again, shout out to the server admins among you, you host a NAS or any other cloud storage where you synchronize the database yourself.

16:40

The plus point is, of course, KeePass or KeePassXC is free and it is open source and not limited in any way.

16:48

And yes, you can even secure this local database with a YubiKey.

16:52

For iOS, since KeePassXC does not support it, you can also use KeePassium.

16:57

That's exactly the same, just for iOS.

17:00

Overall, you can say that all password managers fulfill a certain and important function.

17:06

They keep passwords, user data and sensitive content safe.

17:10

Whether for money or for free.

17:12

There is the right tool for everyone out there.

17:14

But I would make sure that my desired password manager has some essential features.

17:19

MFA with security keys and secure synchronization between my various devices would be very important to me.

17:27

Why? Well, MFA should be a must for every password manager and for you.

17:33

Because password managers are, as I said, your most vulnerable point.

17:37

If someone finds out my master key, he theoretically has access to all my passwords, all my user data, credit card data and other sensitive data.

17:46

It's just not fun.

17:49

I don't want to imagine what it must feel like when someone else, someone strange, buys things in my name,

17:55

signs contracts or commits even worse crimes.

17:58

Such a crime is actually called identity theft.

18:02

But I've already made a few videos about that.

18:05

And that's why you should always use a second factor to authenticate your devices.

18:11

However, it is best to use a YubiKey or security key and not just the app.

18:17

That's why I find MFA particularly important.

18:20

And 2FA, well, that's set up pretty quickly.

18:23

And a lot of companies, companies and online services are now offering it.

18:27

I personally have two favorites for this.

18:30

The first would be BitWarn.

18:32

I would even be willing to pay $10 a month for BitWarn.

18:36

The user experience of BitWarn is gigantic and has all the functions you can imagine, that you really need.

18:43

Sure, you need the free version, but you can also just host it yourself if you want.

18:48

The fact that it is open source makes it all the more trustworthy.

18:53

I personally find Dashlane too expensive for what it offers.

18:56

And BitWarn is just a little bit better than 1Password, which is just not open source.

19:02

Google and Apple are better than no password manager, but that's it.

19:07

If you are a craftsman or not dependent on a synchronization, my second recommendation is clearly KeyPassXC or KeyPassium.

19:15

Here you have to take care of how your passwords come from A to B.

19:20

But it is super safe and offers everything you need.

19:23

But now it's up to you.

19:25

Give this video a thumbs up, send it to two people you know have been putting their security up for far too long.

19:32

And then install the password manager you have chosen right now.

19:39

Basically, it doesn't matter which one you use, as long as you have one.

19:44

Because with it you are at least a thousand times better protected than the average.

19:48

And for those who already have a password manager, write a motivating comment why it is so important to use one and what was the biggest benefit for you.

19:56

And that's it from my side. See you next time. Ciao!