Limitations: Attacker must have full access 1:20 Dude! If attacker already has full access then you are already .....
@erce1000
3 жыл бұрын
I agree with that. If they have access of course they could do mostly anything
@collinsinfosec
3 жыл бұрын
It's about limiting the attack surface. If an attacker were to get access to your device, they could encrypt your files - I would agree. But they could also get your passwords as well - if stored in a browser.
@lokeshkoliparthi9268
3 жыл бұрын
@@collinsinfosec if attacker can get physical access or fully remote access(can control input/output) to computer then they could just export passwords to a file without need of any kind of scripts.
@TimeoutMegagameplays
3 жыл бұрын
@@lokeshkoliparthi9268 If you are using a password manager the hacker would still have to keylog you master password, and would need access to your 2FA (which I really hope you are using), so the passwords are still safe.
@nishantgupta1854
3 жыл бұрын
wow haha
@aaaaaa8711
3 жыл бұрын
if someone has access to the device its already compromised or encrypt your device. this video is kind of misleading.
@erce1000
3 жыл бұрын
I agree
@rahuldora1587
3 жыл бұрын
Yeah you are right.
@adityaj7664
3 жыл бұрын
Yeah!
@alvinxyz7419
3 жыл бұрын
clickbait right
@TimeoutMegagameplays
3 жыл бұрын
Still, if he's using a password manager and notices that the machine has been for instance backdoored, he can simply format completely and reinstall the system, as long as he doesn't access his passwords from his password manager it's still safe, so it's still better than having it on the browser.
@siriusleto3758
3 жыл бұрын
Keyloggers. Never type on your keyboard, here's why. Limitation: Physical access. Spyware. Never speak into your microphone, here's why. Limitation: Physical access. Spyware. Never use the monitor to view your data, here's why. Limitation: Physical access.
@thedoublehelix5661
3 жыл бұрын
Lmfao
@nirupamaroy2313
2 жыл бұрын
Never use a computer Limitation physical access
@theepicduck6922
3 ай бұрын
Use your psychic connection to the internet like an expert of course.
@An1m3
3 жыл бұрын
Good thing I have my passwords on a word document.
@pixums
3 жыл бұрын
even worse..
@rakeshchowdhury202
3 жыл бұрын
If it's inside a veracrypt vault
@siriusleto3758
3 жыл бұрын
Bad ideia. If you have been infected you cannot escape. It is even easier to read a word document, as you don't need to decrypt it, you don't need to use specific software.
@siriusleto3758
3 жыл бұрын
@EnergySandwich Maybe. I've met someone who backed up the file in the Windows recycle bin.
@calebpersonal9987
3 жыл бұрын
All fun and games till you get ratted and someone downloads that file
@SweDownhill
Жыл бұрын
If you are afraid of using password managers.. consider using them but store partial passwords. What I mean by that is that you simply add or subtract a special sauce that only you know about. By doing so, credentials stored in a password manager will never be sufficient to login so they become useless for everyone else that might get a hold of them.
@fearless6947
Жыл бұрын
What Swedownhill means is, save the password that google password manager gives you (SAVE it). An example could be on your amazon account. Recreate a new password on your amazon account but, this time, use the same password and add words or letters to the password (this time do NOT save it in google password manager). Everytime you log in, just add an extra word to it.
@SweDownhill
Жыл бұрын
@@fearless6947 Actually no, that's not what I meant. Here's a better example: Lets say you generate a password of abc123def456, where/how it was generated doesn't really matter. You can then choose to store that exact password in a password manager. If the vault were to be compromised then the hacker would have access to that password/service. However, if you generate the above password, store it in the vault and then add your own special sauce outside of the vault. Then you, and only you would have access to the actual password. To further elaborate on this idea, let's create a few examples: Generated password stored in vault: abc123def456 Always subtract 2 letters: abc123def4 Always add QZ to every password: abc123def456QZ Etc. If you generate another password: qwerty987, then the same logic would be to store that in the vault, and then the actual password would be either qwerty9 or qwerty987QZ depending on the special sauce that was chosen. Of course, you should come up with your own system. These are just for demo purposes.
@4lpina
Жыл бұрын
I am not sure how much this would help. If you are using the same system for all your passwords (otherwise what's the point), at some point some crappy website leaks your password and hackers can see your 'sauce' you used for all your password. Essentially you can never really trust this 'sauce' since chances it will leak at some point if you use it for many websites.
@charliee5970
9 ай бұрын
@@SweDownhillNever thought of that, that's good!
@charliee5970
9 ай бұрын
@@4lpina His idea isn't addressing your situation you gave. In your example literally nothing would help protect your password.
@Kyllleur
3 жыл бұрын
On firefox, if you have remote or physical access to the machine, you can just go in the security settings to check the saved usernames and passwords... no need to use any script for that lol (dunno about chrome) Honestly, if you got someone with ill intention having access to your PC, you're fucked and that's it.
@BobbyPhoenix
3 жыл бұрын
Exactly this. At least he started the video by saying you need 100% full control of the computer. Well yeah if you have that you can do much more stuff than just steal passwords for my browser. That's like saying don't leave your wallet on your kitchen table as you should lock it in the safe behind a picture in the wall, but that's because if someone ever gets 100% full access to your house either by key or breaking in they can steal all your information you have in your wallet. No duh.
@afisap6969
3 жыл бұрын
But, in firefox you can create master password to prevent it
@siriusleto3758
3 жыл бұрын
Chrome too. Just use the same Windows password you used when physically hacking your computer and ready, all browser passwords will be shown.
@soltanayarix428
2 жыл бұрын
but bro, python script and linux tools works automaticly and easy
@estebanod
Жыл бұрын
On chrome you need to use the pc password to access the passwords
@the-mi8hy
3 жыл бұрын
i audibly let out a sigh of frustration because i know youre right but im too lazy to put effort into remembering my passwords >:(
@collinsinfosec
3 жыл бұрын
Convenience vs Security is always dilemma 😂 Sometimes you have to choose, sometimes you have to meet in the middle.
@DiekiKondrael
3 жыл бұрын
Remembering your passwords is a worse idea than storing them in the browser. Anyone that can extract passwords from Chrome's storage can also log your keystrokes as you type the password in. Plus, relying on memory to store passwords leads to password reuse, which is a far bigger problem.
@092_deepak_kumar3
3 жыл бұрын
Use Bitwarden
@dashy324
3 жыл бұрын
Use a password manager
@ko-Daegu
3 жыл бұрын
@@dashy324 Yes + 2FA
@vickietema3397
3 жыл бұрын
Your content is advanced and refreshing. Very helpful. 👍
@asheeeesh27
3 жыл бұрын
Alternate title: How to get your parent’s Amazon password for Vbux
@unverified-user
3 жыл бұрын
Bobux
@johnczech7074
3 жыл бұрын
Grant thank you. Your content is always excellent!!
@billy-cg1qq
3 жыл бұрын
Hhhhhh good luck for a hacker to get a full remote control of my laptop
@kgaming7599
3 жыл бұрын
ikr
@Nerd2Ninja
3 жыл бұрын
The laptop would be easier than a desktop to get full remote access to assuming you ever connect it to wifi
@Hello_am_Mr_Jello
3 жыл бұрын
hhhh dahka mrokia
@tyrellwreleck4226
3 жыл бұрын
Even modern routers have firewall protection against modern attacks.
@Synceditxboxoffice
3 жыл бұрын
if you are connected to internet via Ethernet or WiFi doesn't matter that cause someone will connect to the network or more likely hacker will connect to your router and then hack all the devices connected to that particular router he will poison it and boom he will have all the thingssss lolx
@johnswanson217
3 жыл бұрын
1. Close your remote access if not necessary. 2. Do not use unsafe public networks if your machine is remotely accessable.
@OfficialDigitalMishra
2 жыл бұрын
Agree! Lots of Tricks to fetch ur browser password
@farfromwea.k
3 жыл бұрын
If i have someone else windows password, i will simply open chrome, head to password and browser will ask the windows password again and will simply put it there as well and see/copy password. Using browsers to save password is not insecure but you have to be secure enough not to have anything let your pc or browser access it.
@faithfulojebiyi
3 жыл бұрын
It's just the same as someone having the password to your password manger fam
@Medienmechaniker
3 жыл бұрын
currently using bitwarden with the chrome extension. Is the extension okay to use security wise?
@erce1000
3 жыл бұрын
Yeah, good question.
@collinsinfosec
3 жыл бұрын
Good question. I haven't personally used BitWarden. I would say yes. Best possible solution would probably be a local password management such as KeePass.
@kareemschultz
3 жыл бұрын
@@collinsinfosec Bitwarden also has a self hosted version and its code is visible for everyone to see and inspect as oppose to some other password mangers
@vladgonzaleza8774
3 жыл бұрын
This makes no sense. Attackers can also end emails from your account and gain access to your bank account... if they have access to your account.
@WantBadtime
Жыл бұрын
I learned it from the hard way. My accounts linked through google Password manager, including my Google account, got compromised by a phishing auto token grabber. I am also learning Security Awareness and all browsers create a specific encrypted file with ALL passwords with jumbled text. With that file, they can use a cracker to get every single email and password in just a click. It is absolutely unacceptable. You are best just making your own strong password and write it in a small journal/composition book.
@tentrot4420
3 жыл бұрын
I know I asked this question before but do you know anything about cryptography? Just curious
@collinsinfosec
3 жыл бұрын
I do know the basics of cryptography, but I am not well-versed in the area of how the algorithm actually works or was developed from the mathematical perspective (math probability, etc).
@amarat.
3 жыл бұрын
It’s kinda hard to get direct access to a Linux machine these days lol. Also, half of these vulnerabilities have been patched, and continue to get patched.
@Rhidayah
3 жыл бұрын
I don't know why, you just suggesting to use password manager. As mention kevin mitnick or edward snowden, I forgot who say that "you don't use password manager" its just pushed you to out from scure password and just collecting your password to be generic password
@nexusjump
3 жыл бұрын
Cool..Thats a great tip Thanks man😅😅
@stevejobzz7756
3 жыл бұрын
Time to time chrome has fixed the patch effectively , no need to worry about security issue its just info video
@durzua07
3 жыл бұрын
I have done this on the past :(
@mckinley3
3 жыл бұрын
Great explaining.
@edwardmacnab354
2 жыл бұрын
How are they going to get access to my machine. Also all my passwords are linked to a G-mail account that has a backup account in my service provider and also a phone contact so finding my password to IG or Tik Tok would be pretty temporary. I am a bit worried about when I do sign up for online banking as I don't believe banks are that bright generally and I'm a bit leary of PayPal too although they may be smarter than the bank in matters of IT and Security.
@aland9328
3 жыл бұрын
Use password managers! I recommend bitwarden
@KINGABDUL99
2 жыл бұрын
Great video Thank you fro telling
@DogsAreGods
10 ай бұрын
So, in conclusion, really, saving your passwords in your browser is fine just as long as you keep everything updated, and you keep your network and home OS secure from RATs exploiting backdoors.
@teamhairball4182
2 жыл бұрын
Is it the same problem if you use your password manager as an extension in your browser? That seems to be the only solution for autofill, but I always wonder if it leaves your data clear out in the open after you've unlocked it.
@Euronius
Жыл бұрын
Apparently if you store your passwords with Keepass 2, it has an autofill feature where you just tab into Keepas, press Paste (Ctrl + V) and it will autofill the username AND password for you on the webpage. I just found this out today. Might actually use it solely for this one, neat feature.
@holidayseason1205
2 жыл бұрын
Hi grant can you make a video on programming in security and if OOP is needed for security
@aquatrax123
2 жыл бұрын
This type of attack can be used on any password manager. The solution here is to have a hardware password manager. There are a few out there but they are not that good for example, Ledger Trezor and Mooltipass Password Managers.
@Wan_Destroyer
2 жыл бұрын
Google Patch this (Locked Database)
@theghostly36
2 жыл бұрын
U should save ur passwords in lastpass its the best
@aakashjana6225
3 жыл бұрын
Meanwhile my mind thinking how to update the code to work on chrome ver 88
@albertobarbieri8280
2 жыл бұрын
Saying that it is easy to steal passwords from the browser is wrong in my opinion. I mean, probably the browser is not the best place, but it's not even the worst place. At the same time it's not that easy to have access to another person's computer in a real world scenario.
@roffe2k736
3 жыл бұрын
I'm from the future, I've already seen the whole video.
@tentrot4420
3 жыл бұрын
What is going to be the next vid? 😂
@roffe2k736
3 жыл бұрын
Okay... just so you know you can't tell this to anybody, the next video is going to be a crash course about the bash terminal and permissions in Linux for cybersecurity reasons.
@htetaunglwin8941
3 жыл бұрын
Incredible,I don't believe.
@collinsinfosec
3 жыл бұрын
Can you guess what I am thinking... 🤔 (**cough dee boo dah **cough).
@roffe2k736
3 жыл бұрын
@@collinsinfosec Exactly! You got one secret, your biggest goal that you want to accomplish is making the "dee boo dah" virus go viral and take over the world with the new ransomware technology you're secretly working on. Sorry, but you asked me for this so the world has to know now...
@ishantram6956
2 жыл бұрын
After some here and there I am able to decrypt the password saved by chrome which is above chrome version 80.
@Andoresu96
3 жыл бұрын
Dude if someone already has remote code execution you lost. This is kinda fumb, like even if you encrypt your passwords, you have to type your master password to decrypt, which if you system is compromised to this level, you lost as well.
@naingko00
Жыл бұрын
Can I save passwords in my Google account only? Not in any browser. I have to save passwords in my Google account only because I can't remember all passwords from all website. Can you give me possible way to solve that problem?
@pirbaba755
3 жыл бұрын
Thanks
@deadlockmusic7685
3 жыл бұрын
Thanks man👍🏻
@novianindy887
Жыл бұрын
isnt lazagne and the python blocked by most antivirus nowadays?
@novianindy887
Жыл бұрын
please
@KINGABDUL99
2 жыл бұрын
Your Awesome
@dongnez
3 жыл бұрын
Did u edit this video in linux?
@kennnnn
3 жыл бұрын
How safe would saving passwords in a .png file be? Just open it with notepad.
@gbessone
Жыл бұрын
Can browser extensions steal saved passwords from the browser?
@risithranmira
3 жыл бұрын
USEFUL VIDEO
@MalumFashEntertainment
3 жыл бұрын
No. It's misleading
@DanielRamirez-wz7gk
3 жыл бұрын
You kinda remind me of Eddie Brock Jr. In Spider-Man 3 (2007)
@YourVision09
3 жыл бұрын
thanks
@JustinIkeda
2 жыл бұрын
A friend got hacked and the hacker sent me an exe that I foolishly opened. He got all of my chrome passwords. He must have used the project tool described here to get my chrome passwords. I checked for any suspicious incoming established connections and my anti virus/operating system is picking up nothing. Should I still be concerned after changing my passwords? I am using a VPN but I'm not sure if that did anything in this situation.
@hypeboy306
Жыл бұрын
i didn't even stored my passwords in browser but because of malware they take away all login details of the accounts which i logged in the browser like insta,fb,youtube and google account...........even the 2 key factor authentication is on still they hacked my accounts
@sameerdubey740
3 жыл бұрын
But is it applied to mobile devices also?
@jishnubiju2118
3 жыл бұрын
Is it safe to save in password managers like bitwarden,dashlane etc
@livedreamsg
3 жыл бұрын
Yes. Bitwarden encrypts end to end.
@ADHD_Gamer
2 ай бұрын
The average person WILL NOT have python installed. And as mentioned in the comments, having full access of target computer is a moot requirement for this test. Target already has issues.!
@removeall23
2 жыл бұрын
Thank you thank you thank you, finally I convence my family to stopped this practice
@refugioflores2226
2 жыл бұрын
Hey what things can cause someone get access to control ur system ? Someone tried to log into my fb I’m sure they got the password from my pc bit idk how they keep getting access to it
@jackeyniraula
3 жыл бұрын
lol, this is just a bit overcomplicated process for a simple expected result. If an attacker has full access to the victim's PC, he can get the passwords stored in the browser in less than 5 secs. The best advice if you store passwords in the browser is to get the USB security key and enable 2FA requiring security key and store passwords only for the services that have 2FA enabled. Attackers can still have your passwords but can't do shit about it to get access as long as you have the security key. The rest of the passwords should go to your password vault like Keepass. Also, don't trust online password managers, instead use offline password managers like Keepass.
@AidenEllis
3 жыл бұрын
Glad i have my own software for storing these
@B14ckFoot
3 жыл бұрын
whoa teach me
@blrj
3 жыл бұрын
How about Lockwise by Firefox?
@fuseteam
3 жыл бұрын
fairly certain that's why you set a master password in your browser
@mohsinfareed1797
3 жыл бұрын
what is the need for noisy background music?
@Sanity1532
3 жыл бұрын
This is amazing! Thank you
@PrevosHD
3 жыл бұрын
What about encryption by chrome?
@danielbichof828
3 жыл бұрын
did you reported that as bug bounty to google ?
@h.fontanez5453
3 жыл бұрын
🤣
@DiekiKondrael
3 жыл бұрын
I disagree with your entire premise, and especially the title. Storing your passwords in the browser is 100x better than trying to remember them, since password reuse is a far worse risk. Lastpass or other software that allows you to set a master password may be slightly better, but malicious software can either keylog the master password or just extract it from memory. In short, there is no reliable way to keep passwords secure on an infected machine. You should focus your efforts on preventing infection in the first place.
@collinsinfosec
3 жыл бұрын
I do understand where you are coming from. But I would have to disagree with this opinion. A password management solution is far better as I suggested at the end of the video. I do agree with your last statement.
@Lmfaorofl17
3 жыл бұрын
You’re most likely fine to store your password in browsers as long as you don’t install or use software that are dubious. Like come on, the attacker would have to have control over your computer, that’s not easy unless you’re asking for it.
@collinsinfosec
3 жыл бұрын
Yep that is correct. As hinted at in the limitations section, an attacker would need to have access to your machine. The demos were just a couple examples of how post-exploitation could happen in the real-world scenario
@hagiangtruong4173
2 жыл бұрын
Bad thing is Lazagne does not work well on Windows
@johnveill113
3 жыл бұрын
How about LastPass?
@StephenYT.
2 жыл бұрын
and if using 2FA?
@sheez-5486
3 жыл бұрын
Thank you for new virus attack idea, i use python...
@Kaos.117
3 жыл бұрын
You must suck at it to think that this is a new idea XD
@sheez-5486
3 жыл бұрын
@@Kaos.117 i do suck XD, but actually i had a virus idea since i started the Pythin XD, how evil am i...
@bladeeda2736
3 жыл бұрын
good thing i save my passwords in youtube comment sections
@alphajoker1659
3 жыл бұрын
can fond someone anther pc or laptop browser history
@Shkur777
2 жыл бұрын
What about pass? I mean pass the standard unix password manager
@jujuganz8884
3 жыл бұрын
Thank god my password is written in my wallpaper
@GamaPerkasa
3 жыл бұрын
mine saved at keep
@bread6316
2 жыл бұрын
well I wrote a password encoder that encodes a json file into a wav file. All you can hear from it are bunch of beeps with a frequency of 8000 and 9000 Hz. I copied the wav file into all of my devices. Decoding it will be easy but no one could guess that lol.
@mohammedalzamil7191
3 жыл бұрын
Nice
@makali2710
3 жыл бұрын
Hey bro i am getting virus attack from last 2 month which is crypto tab browser. This virus destroy my system many of time. Please help me
@zone47
2 жыл бұрын
Good info but you could have left all the details out for hackers our there on all the tools to use and process to hack someone's password.
@HandsomeManNamedTony
Жыл бұрын
From the beginning i always store my passwords in a encrypted usb and the decryptor is sonewhere lol
@premjithappu837
3 жыл бұрын
Ya i stored password in chrome 🙃
@michaelnolan1715
2 жыл бұрын
I use bitwarden
@AnasQiblawi
3 жыл бұрын
but nobody have python installed
@relaxingrainfall100
3 жыл бұрын
What if you just put your passwords on paper... 😐
@unverified-user
3 жыл бұрын
I have passwords in encrypted vault on my phone
@guilherme5094
3 жыл бұрын
Nice.
@Simonius95
3 жыл бұрын
Thanks Grant ! Why aren't the browser hashing the passwords by default? What's the reason in your opinion? Greets from Germany
@DiekiKondrael
3 жыл бұрын
Hashing passwords would render them useless here, since they have to provide the full original password to the website.
@collinsinfosec
3 жыл бұрын
Hey! Browsers do encrypt the passwords when stored, but you can decrypt them as well if you had access to the machine. Hashing wouldn't be a viable use case here.
@Simonius95
3 жыл бұрын
@@collinsinfosec thanks for the response. Besides using for example LastPass, is there any other in built Browser solution in sight?
@farhanaditya2647
3 жыл бұрын
@@DiekiKondrael I'm sorry, I don't get it. Didn't the browser already send the full password? I mean, that's why you don't have to type it manually.
@Simonius95
2 жыл бұрын
? Do you know sth?
@mouradmohsen838
3 жыл бұрын
It was good thanks
@omkargadave1089
3 жыл бұрын
Hi sir.......😍😍😍😍
@KINGABDUL99
2 жыл бұрын
I love u
@kakilancap
3 жыл бұрын
Even in your own pc?
@collinsinfosec
3 жыл бұрын
If you want "optimal" security - I would say yes, even on a personal PC.
@andretarvok7122
2 жыл бұрын
eh, redundant no? i mean if someone has access to your pc can't they just dump cookies and bypass both the password and the 2fa since that cookie session is already authenticated?
@Thunder-dp7du
3 жыл бұрын
Save in safari then
@shubhamtiwari2035
3 жыл бұрын
Oh its good
@WilcoVerhoef
3 жыл бұрын
You can set a masterpassword in Firefox to prevent this. But at that point why not just install a proper password manager
@tafadzwachimwe777
2 жыл бұрын
A password manager is better but Firefox is free
@OfficialDigitalMishra
2 жыл бұрын
Nothing will work Hackers are smarter
@phantom3612
3 жыл бұрын
That's way too work for getting pwd. You need to make sure user has Python installed (which is common in programmers computer only) and then you need to run that script. for that u need remote access and that's not a joke. If u get it you basically owns the device. U can even run a ransomware's attack much less a script to get pwd
@stacklysm
3 жыл бұрын
I thought this would be a password manager ad (Edit) Oh
@simplifyrangoli9619
3 жыл бұрын
Do not save passwords in Google or any website logins
@miguelmorenopastor4697
2 жыл бұрын
If the passwords are encrypted with SSL (now is more common) this will not work :)
@yonderalt2662
3 жыл бұрын
Well, where else am I supposed to store them? Other services either are on the cloud which runs in the risk of losing everything if thst service dies or is not free, and paying for the access of your passwords suck. Tell me if there is a better FREE SECURE password manager than Ill chanfe my mind. Also, the only way this can happen is if someone stole my device. Thst isnt going to hapoen anytime soon. Even if so, Google has many ways to prevent compramise.
@Servidor_Publico_do_Ancapistao
3 жыл бұрын
Pen and Paper
@yonderalt2662
3 жыл бұрын
@@Servidor_Publico_do_Ancapistao Again, not free and worse than a browser insert seeing as I have to find rhe paper (if its burried somewhere) and type it letter by letter cause no automatic insertion and "********" (not everything has Shoe Passseord)
@rangermark12
3 жыл бұрын
well i already never clicked the button cuz i have a other password manger
@chris_32195
3 жыл бұрын
So that is why i lost my epic and steam account...
Пікірлер: 253