A weekly live show covering all things Freedom Tech with Max, Q and Seth.
TO DONATE TO ROMAN'S DEFENSE FUND: https://freeromanstorm.com/donate
IMPORTANT LINKS
VALUE FOR VALUE
Thanks for listening you Ungovernable Misfits, we appreciate your continued support and hope you enjoy the shows.
You can support this episode using your time, talent or treasure.
TIME:
- create fountain clips for the show
- create a meetup
- help boost the signal on social media
TALENT:
- create ungovernable misfit inspired art, animation or music
- design or implement some software that can make the podcast better
- use whatever talents you have to make a contribution to the show!
TREASURE:
- BOOST IT OR STREAM SATS on the Podcasting 2.0 apps @ https://podcastapps.com
- DONATE via Monero @ https://xmrchat.com/ugmf
- BUY SOME STICKERS @ https://www.ungovernablemisfits.com/shop/
FOUNDATION
https://foundation.xyz/ungovernable
Foundation builds Bitcoin-centric tools that empower you to reclaim your digital sovereignty.
As a sovereign computing company, Foundation is the antithesis of today’s tech conglomerates. Returning to cypherpunk principles, they build open source technology that “can’t be evil”.
Thank you Foundation Devices for sponsoring the show!
Use code: Ungovernable for $10 off of your purchase
CAKE WALLET
https://cakewallet.com
Cake Wallet is an open-source, non-custodial wallet available on Android, iOS, macOS, and Linux.
Features:
- Built-in Exchange: Swap easily between Bitcoin and Monero.
- User-Friendly: Simple interface for all users.
Monero Users:
- Batch Transactions: Send multiple payments at once.
- Faster Syncing: Optimized syncing via specified restore heights
- Proxy Support: Enhance privacy with proxy node options.
Bitcoin Users:
- Coin Control: Manage your transactions effectively.
- Silent Payments: Static bitcoin addresses
- Batch Transactions: Streamline your payment process.
Thank you Cake Wallet for sponsoring the show!
[00:00:01]
Unknown:
Good morning or good afternoon depending on where in the world you are. Welcome to Freedom Tech Friday. For anybody that is new here, I'm just gonna quickly explain what this is all about and why we are here. Freedom Tech Friday is a weekly live and interactive show hosted on the Ingovenable Misfits x, Nosta, and, yes, we are actually live on Nosta, and YouTube feeds. We go live one hour for one hour every Friday at 9AM eastern or 2PM London time. You can also catch up later on the Ungovernable Misfits podcast feed. On Freedom Set Friday, we like to cover the latest news trends for anything relating to Freedom Technologies. That could be anything from Bitcoin and Monero, encrypted messengers, privacy tools, and everything in between.
Essentially, if there's a news item, tool, or topic that can help you take back some control in today's digital panopticon, we want to talk about it. My name is q and a. I'm head of customer experience at Foundation where we build Bitcoin focused sovereignty tools. And as always, I'm joined by my good friends, Max, the head honcho over in the Ungovernable Misfits world, and Seth, who is VP at Cape Boy. As I mentioned, this show is live and interactive, and we rely on you guys to steer us towards the topics that you want us to cover or to send the consent or your Freedom Tech related questions. There's many ways in which you can get involved, all of which really help spread awareness for the show.
You can comment or ask questions in the live chat. You can submit topics or questions before the show on X or Nostra. Boost the show on Fountain or any of the other two podcasting two point o apps. Send questions and tips via Bitcoin and Monero at XMR chat, or just simply share the show on x or Nostra. Big shout out to last week's Baller Booster, mister Rod Palmer from the Bugle, who sent in 10,000 sats and said, GrapheneOS's slogan should be the revolution won't have good UX because it's an adjustment to use. So without further ado, let's dive into the show.
Yeah. Let's dive into the show. Max, sir, how is it going? And I can hear one of you typing, by the way. Oops. That may have been me.
[00:02:05] Unknown:
New keyboard. It's loud. Might I need it? That's the kind of Friday it is. Good morning, gents.
[00:02:14] Unknown:
Max, how are you doing? How are you, struggling with the sniffles over there.
[00:02:18] Unknown:
Yeah. A little bit. I'm alright. Other than that, just excited for today. Very excited. Seth, your, your audio is not great. I don't know why it was before.
[00:02:30] Unknown:
Maybe it's not yep. It is not the right microphone.
[00:02:34] Unknown:
Yeah. Try this now. Maybe if we can there we go. That's nice.
[00:02:38] Unknown:
Listeners, can we get an audio check as well? Are all three of us coming through okay? Please, drop a comment and let us know if you can, hear us all clearly. Look at this. Shout out to the Nosta Gang, people in disbelief that we are actually at live. Oh, boy. Said, yes. I finally don't have to log in to X today, do I? Nosta Gang, Observer, good morning, gentlemen, and, Delta Mike already in there. First to sat with 420 sats. And as I just said that, Bond boosted 2,222 sats. Oh. And then finally, we just added another m pub who has just loaded, mister SPA, Super Far Arrow, who I dubbed, by the way, for those of you that are on, you might have seen this. Super Far Arrow is our time zone correspondent over at Freedom Tech Friday.
He takes great pleasure every single Friday morning to check my, my notes showing the show and double checks that I use the term British summertime rather than, GMT. He's very particular about his time zones, but we appreciate him, calling me out. And, obviously, we also appreciate the 10,021 SAP boost he just sent. Cool. Thank you. I'm happy that we've got the master working, as the resident of the master show. So welcome to everybody in any of the live chats, and thank you for to BTC wrestle, confirming that everybody sounds good. Thanks for changing your mic there, Seth. Alright.
Look at this, guys. It's all working. Can you believe it?
[00:04:03] Unknown:
I can't believe it. I don't know how to watch it in Nosta. I've I'm I'm nostring now, but I have no idea how to see it. But Just go to zap.stream,
[00:04:12] Unknown:
and then it on, free Internet Friday will be one of the the shows. Oh, it wouldn't be in my, like, damus or that thing. It's in primal. You can watch it in primal as well. Can I? Alright. I'll do primal. Can indeed. It should come up as a notification. Anyway, let's get down to business. Today, we are talking about something that, bot basically touches every single one of us. That is passwords. Whether you love them or hate them, they are kinda like the first line of defense for protecting our emails, bank accounts, wallets, basically, apps, anything that you know, every single corner of our online lives.
In doing, a bit of research for the show, I found a couple of scary facts. According to a Google survey, 65% of people admit to reusing the same password across multiple sites. And, of course, that is just the ones that are willing to admit it. I'm sure that the real number is, probably much higher. Obviously, that means that if just one of those sites were to get hacked, and let's be honest, these types of breaches happen every single day, unfortunately. An an attacker can walk straight into multiple of your account if you're reusing the same password. So Yeah. Not a great situation to be in. In 2024 alone, over 5,000,000,000 unique credentials were found circulating on the dark web after major breaches. And, yes, that is billions with a b, not with an f.
Now think about this. The average Internet user has, I would gonna say, at least 20 different online accounts for all of their different kind of well, all aspects of their digital life, essentially. So it's kinda like no wonder that some people, particularly those that are less digitally native, I guess, will default to to weak passwords that they can memorize so that they can just manually type it into each of the new services that they they sign up to. But, thankfully, well yeah. And they do that because there's simply no way to remember, you know, loads of different complex unique logins. Even if you're a kind of low footprint digital user and you've got maybe, I don't know, five to 10 accounts, memorizing a different password for each of those services is unfeasible for most people. I'm sure there's some autistic people out there that may try to do that, but probably not advisable or feasible.
So that is where password managers come in. So, gentlemen, and I'll, I'll give this one to you, Max, first. So if somebody's never heard the term before, and I appreciate that this might be kind of basic for some of the listeners here who are well versed in this, but how would you explain a password manager in the simplest way possible?
[00:06:52] Unknown:
Something that creates and stores passwords for you in a secure way.
[00:07:01] Unknown:
I like that. Any advances on that, Seth?
[00:07:06] Unknown:
Honestly, that's that's nice and simple. The only thing I would add is that nowadays, they can do a lot more as well. So you can do pass keys. You can do, email aliases and many of the good ones. You can do a lot of different things than just generating and storing passwords. The the term has kinda, like, grown rapidly. But at its core, especially for the average person, it's really save your emails, save your passwords for each website, and easily autofill them.
[00:07:32] Unknown:
Alright. So what you mentioned there that a password manager will kind of generate a password for you. Like, how how do they how do they kind of do that for you? Like, what what's the the general flow look like? Like, let's assume I'm I'm a a a Luddite, and I've got my Facebook account, my Instagram account, and my Twitter account, and they're all using password one two three. Like, where do I get from that kind of horrible world to, you know, having a password manager and then, you know, this magical piece of software kind of doing all of the stuff for me, and it, like, gives me a new password? Is that right? Do I just go and change it? Like, what does that look like, and how do I know that they're kind of giving me secure passwords, I guess?
[00:08:14] Unknown:
Yeah. I mean, on the on the security, I think the most important thing is not just using, like, any old random password manager, but using one that's that's well vetted, that's free and open source software specifically, because you wanna make the actual implementation of their security is sound and reviewed by many people. Like, there have been many cases in the past of password managers doing something incorrectly with passwords and people getting wrecked as a result. So really using something dependable. We can obviously get into specifics later on of which ones we recommend. But, the like, as for how it works, the the really nice thing is if you're using a good password manager on your phone or on a browser as a browser extension, it can autofill and autogenerate a new password and autofill your email for you. So, generally, like, if you already have a Facebook account, you would just go to your account settings to security, and then you would have an area for changing your password. You enter your old one. And then in the new password field, usually your password manager will just automatically prompt to generate a secure password and all are you in both the new password and the confirm new password field.
So you generally don't even have to copy and paste it. That does depend. Like, if you, for some reason, don't like browser extensions and you wanna just use, like, the desktop app or something like that, maybe you can't autofill it, and maybe you have to copy and paste it out. But, generally, yeah, it'll just autofill it for you, and then you're off to the races. I think the thing that a lot of people don't realize until they start using password manager is it's one of the best quality of life improvements, like, in the digital world you could ever do because you you don't need to worry about remembering passwords, and you don't even have to worry about typing them in. Normally, you can just autofill them instantly securely when you go to the website that you need them on.
So it's it's surprisingly easy, but it is one of those things that you should not try to do, like, every account under the sun the day you get a password manager. You'll burn yourself out. But my kind of advice generally is just, like, go one account at a time. When you go to Facebook, change the password there. The next time you open Instagram, change the password there. Like, each time you open a new service, just take two minutes and change the password and slowly migrate all of your passwords to your password manager that way to to new secure passwords.
[00:10:33] Unknown:
Yeah. I think that kind of slow switch from from one world into the other is is great advice and something that's applicable to most of the tools and techniques that we talk about on Freedom Tech Friday, I guess, rather than trying to kinda dive in and change your entire digital life over the course of, you know, a single day. It's gonna be, quite difficult. I believe I'm getting an an echo. Thank you for letting me know, Seth. I'll have a play around, and maybe move some stuff around. But, hopefully, it's not too detrimental. Okay. Next question.
A a lot of people kind of are unsure when they start using this type of tool like a password manager where they are fearful that that I guess the saying goes, you know, I don't wanna put all my eggs in one basket. Like, you know, this one thing now seems like it was, like a single point of failure. And if something happens to this password manager, and, again, they all operate slightly differently. We're gonna dive into the the different pros and cons of those afterwards. But, like, what what happens, like, like, if something happens to to the to that single password manager, like, presumably, my entire digital life is is owned by what protections are there? Where are the passwords stored? Like, how would you you answer those sorts of questions and fears that people have?
[00:11:48] Unknown:
Yeah. I mean, biggest thing to remember I didn't mention the last one. Just, like, make sure that you use a good open source password manager. One of the reasons for that is so that if that password manager goes away, you could still have access to the actual apps, to historical apps. Someone else could take over maintaining it if necessary. Like, it gives you a lot more flexibility in the future if, like, let's say, you use Bitwarden and Bitwarden shuts down as a company. Someone could continue maintaining the clients themselves so you could keep access to everything. But when it comes to, like, actual security, of your passwords, That's where the important kind of like when you we're talking about, like, Bitcoin security.
You're gonna have one key that's most important to remember and to write down and to save securely, and that's gonna be the master password for your entire, for your entire password manager. So you'll have, like let's say you use, Proton Pass. You'll have your Proton Pass email and then your Proton Pass account password. That you can store it in your password manager if you want to autofill for other things, but but, obviously, you can't autofill something for your password manager if you can't log in. So you are gonna need to make sure that that's a securely generated, very long, very complex word that you keep safe. Probably keep it in the same place as you keep your, like, Bitcoin seed phrase or something.
Because like you said, if someone gets access to your password manager, then they get access to all of your online accounts, which is a bit terrifying. But the one additional measure you can add is, obviously, you should use two factor auth for getting into your password manager. So something like, two factor token in an app like Proton auth or something like that. And then on all of the websites you do, an additional step that would be good is using two factor auth there. And I generally recommend keeping your two factor authentication not in the same password manager password manager as all of your passwords.
I know that they all can do that today. Like, with Proton Pass, you can do all your two factor tokens in Proton Pass. But I personally like keeping two factor tokens separated from my passwords so that if my Proton account got pwned, all of my passwords maybe could be had by somebody, but they wouldn't have any of the two factor tokens. And so they wouldn't actually be able to get into any of my logins unless they had me or my, like, device where I keep these tokens on. So those are the main protections you have, but it's really keeping that master password or the login for the password manager itself really secure, offline, that sort of thing.
[00:14:17] Unknown:
Is it really two factor if it's in the same place? Like, it seems a bit like sort of storing it 24 words and then a passphrase together. It's kind of like they're separate, but they're not really.
[00:14:29] Unknown:
I think the difference here is that unlike, like, a a Bitcoin seed where no one's guessing your seed phrase, with a password, in theory, they could get it. So let's say for instant, you're using a really old password, but you do have two factor off, and you keep both of them within the same proton pass. Let's say not the different threat model, your your proton pass does not get pwned, but the person guesses the email and password because it's a it's something that's been leaked in the dark web, whatever, they still don't have the two factor. So it's really different kind of threat vectors. Like, if you're worried more about I don't I'll clarify it this way. If it's between you using two factor and not using two factor by either keeping everything together or trying to keep things separate, it would be better to keep everything together and use two factor on all your accounts and not use two factor off.
But I think if you're willing to do that ex little bit extra step and use a separate authenticator, I think that is the better solution for most people, but it does cut down on the convenience just a little bit.
[00:15:37] Unknown:
Okay. Makes sense.
[00:15:40] Unknown:
Yeah. Good good call out there. I found the echo, by the way, guys. My it was my phone playing our stream on Primal on my phone, so apologies for that fix now. Thank you for letting me know. Alright. We have a question from, our time zone correspondent. I'm gonna put it up on screen now. It was one I was gonna ask myself later, but given that he's asked it now, I wanna let you guys chime in. We we are talking about passwords here, but something that's become quite prominent in in recent years. Specifically, I I believe Apple might have been the kind of, the driving force here, around the concept of passkeys.
So could one of you outline the you know, why where would I use a passkey versus a password and maybe kick off by, I guess, outlining the differences, first and foremost and then maybe the the difference in application thereafter?
[00:16:35] Unknown:
One of us can. It's not me. Surprise. Surprise.
[00:16:42] Unknown:
I I am definitely not the foremost authority on this, so I won't go too in-depth on, like, what passkeys are. The the the TLDR is that the idea behind passkeys was that be bad at password management that instead of having them do a username and password on every website that they use, we'll instead use a a unique, essentially, private public key pair for each login, and we'll store that safely on the device. And we'll use that instead so that there's no password management necessary. In theory, it's an interesting idea. It's something that has not taken off really as well as I expected it to, and so I haven't literally done a deep dive into it. As far as security goes, it's really well thought out. It's very, complex from a security perspective. It's a it's a cool concept. But for me, actually, like, trying to use it most places, it's it doesn't work super well. And I've noticed if you're not doing, like, pass keys in iCloud key chain, for instance, on Apple, but you're trying to do them in something like Proton pass, I've had a lot of problems where I just, like, I I literally can't use, pass keys properly. Because, like, I'll try I'll be using Brave, and I'll try to use a pass key, but it'll give me a QR code to scan, which doesn't work because I don't I don't know what am I scanning this QR code with? I don't I don't have that passkey on some other device. It it gets a little weird, in many cases if you're not using that kind of, like, first party Apple specific passkey thing.
The other main problem that I have with passkeys is that depending on the implementation, they're sometimes not portable. So, like, Apple, I don't believe you can get your passkeys out of iCloud keychain into something else. So as long as you have your your Apple account or the device that they're on, like, you you can get into those accounts, but they're not as portable as just a generic password is. And then the third thing that's the main downside is just that most websites still don't support them. So you're gonna be stuck with a mix of passkeys and passwords, which is, to me, just a little more frustrating. So, like, I've I've dabbled with it a little bit.
Adoption is more broad. Maybe we'll swing back into it. But, honestly, I don't I don't think that the benefits are worth the kind of user experience trade offs today, when I can just use securely generated passwords and a password manager that autofills it. Like, to me, the the actual user experience is the same. Autofilling a password from a browser extension versus auto filling a passkey from a browser extension. Like, it doesn't help me at all.
[00:19:12] Unknown:
That was kind of the the conclusion that I drew was that it it it's still something that you have to kind of keep and and fill in, so to speak. If I understand correctly, the passkeys are more of a, like, a a a private public key pair arrange arrangement where so, like, log in with a passkey, you're providing, like, a proof or a signature, I guess, with the the key the the private key that lives on your phone or or wherever you store it rather than typing something into a a browser and and that then being compared to a hash in a table, I guess. But that like you say, from from a user perspective, it it's not that indifferent really. Before we move off passkeys, a a follow-up question for you, Seth, and I generally don't know the answer to this is for my own curiosity.
When you use passkeys, do do you just have a single passkey that gets reused because it is like a a signature type relationship rather than it being a a a kind of secret that you prove ownership of? Or is it that you have a different passkey for each login that you choose to use a passkey with?
[00:20:12] Unknown:
I believe it's a unique passkey for each login. And one one additional thing I'll throw out there. One core benefit of pass keys is, let's say, you use a pass key on amazon.com. Amazon.com gets pwned. If you were using a password, that password would be revealed, and anyone could log in to your Amazon account if you didn't have two factor. Pass keys don't work like that. So that is a huge benefit to them that I should have mentioned, where if someone gets amazon.com's database of users but you're only using a pass key, they can't actually get into your account because they don't have a key. It's it moves away from this idea of just giving your private key to a third party as the way to authenticate yourself and does it in a a much smarter way. So the again, the idea is really interesting. In practice, it hasn't been amazing for me. Something that's that's cool, and I do hope that it takes off. And I'm specifically, like, hopeful that more password managers implement pass keys so that you can have those in the same place rather than having to do, like, pass keys in Apple and then not being able to have them in Bitward or something like that. Proton pass does have them, like I mentioned, but actually but it could be user error.
[00:21:19] Unknown:
Nice. I'm actually glad you you said something there because I just wanna point a clarification. You mentioned the scenario where Amazon servers would be pwned and, you know, a password leaked. Would it not be a a hash of the user's password, not not the password itself? Presumably, they're not stored user passwords in plain text. I mean, theoretically, Amazon surely would be doing it right, but the the reason, like you mentioned, there were 5,000,000,000 credentials
[00:21:42] Unknown:
on, like it's because most websites or or I shouldn't say most websites, many websites don't properly store user credentials. And even if they do, often they accidentally make a mistake somewhere and the the hash itself is able to be, like, the password itself is able to be decrypted or broken, if they did the salt incorrectly. There's a lot of things that have happened where you can actually get the user credentials. But, yes, in theory, amazon.com's database would not just have plain text passwords.
[00:22:11] Unknown:
Mhmm. Okay. And that gives me a nice segue into the next question of let's assume, a user is using a a password magic. Doesn't matter which one. If that service has a breach so let's say, Bitwarden. If they have a breach or Proton has a breach, and their central server where the the passwords or the hashes of the passwords or that data is being stored, what would an attacker learn? Like, is it is it game over? Do they learn some hashes and they've gotta go and do some extra work? I'm sure there's probably gonna be some nuances in the different approaches here, but, like, generally speaking, what's the the outcome there in theory that, you know, Bitwarden gets pwned?
[00:22:52] Unknown:
So that's this is the the beautiful thing about if you're relying on a password manager that is intent encrypted by default is that there is no decryptable information on pass on Proton servers, on Bitwarden servers, etcetera, unless they have your account credentials themselves. Like, if they don't have your Proton account, they can't get anything out of the information stored on Proton servers, and they're using all the same, like, industry standards they're using for for your email, all all of the other things that they do. So that that is a a really good benefit of those as I like, I wouldn't really be concerned about that because they're they're designed specifically to not be storing that info in plain text or in any format that's usable on servers.
I mean, this is where, like, if you want to go above and beyond, you could you can do, like, local only password manager, something like KeePass. It is greatly going to increase the user experience hurdle. Like, the pain of actually going through everything is going to be greater. And then you also need to implement backups because you need to make sure that you don't lose those secrets or you're gonna have a really bad time. So it adds a lot of complexity if you don't rely on that. But that's where, like and I know I've talked about this before. Like, I think the risks of them getting something out of a password a a Proton server, for instance, are just essentially nil.
Whereas the risks of you accidentally deleting your key pass database or your MacBook flying out the window of your car or something, and you're just losing everything are much greater. So, usually, the pros outweigh the cons of using something like that, and Proton knows what they're doing when it comes to encryption.
[00:24:41] Unknown:
Alright. Awesome. We've got a comment from the Twitter live chat from Artory here, which is another one that I had in later in my list. Is it worth it to not keep your password to your main email or Google or iCloud account in a password manager? I guess I can probably tackle that one. I personally would. I don't see a reason not to kind of do that really. I I guess if you're using that email for kind of, like, email based two FA and stuff like that, then maybe some segregation there could be, I guess, a minor benefit. But for most people, again, I would say that the pros far outweigh the the cons here and and that just keeping it as simple as you can and just having it all be in that main password manager behind the, you know, that master password, assuming that that is secure, that there's no reason not to here. But I'm I'm open open it up to the room here to see if, there's something that I'm overlooking.
[00:25:38] Unknown:
Not that I can see in sorry, sir. No. No. Go Max. Go Max. I was just gonna say not that I can see if you trust your password manager and if it's open source and everything else. I can't personally see a reason unless, like you say, using it for two FA or anything like that. Sounds like Seth's got some ideas on there. But before he does that, I was also thinking, like, we were talking about or in the chat, there was have I been pwned and all these different things where you can search, to see if there's been a leak on, like, old email addresses and passwords and things like that. And so for people who have previously had emails that may have been leaked, like data breaches or things like that, is there a simple solution?
Say they switch across to something like Proton and they start using a new email and password manager and everything else and trying to do some something properly going forward, is there an easy way to, like, download and copy all of the emails that they previously had? Because often that's like a way to store information that you might need to go back to for whatever reason. Is there a way to do that and not lose all that information across your old emails and then move to a new one, but make sure that the people that would have otherwise contacted you that you need to speak to still can?
[00:27:14] Unknown:
I I think that the easiest way to do this, like I don't know. It gets a little tricky. Like, if you're using Gmail, really a good solution. Like, you you kinda would just have to get a new email address. But if you're using something like, say, Proton, what would be really easy is just using aliases from that point forward. Still get to keep all of your other stuff. You can actually, in theory, disable specific email addresses, although I'm not sure if, like, you don't use a custom domain, if you can disable your protonmail.com ones or not. That's actually something I would have to double check on. But, I think for the most part, if you've had, like, an email address leaked in one of those hacks honestly, the easiest thing is probably just kind of moving on from that, creating a new a new account on something like Proton or Tuda and just keeping the old one just in case for as long as you need. This is what I did when I first kinda went down the privacy rabbit hole, and eventually migrating everything over to the new one. The other side benefit of doing that is, like, let's be honest. If you've had an email for, like, a decade or something, you're signed up for so much garbage, and there's just no hope of digging yourself out of that, like, that spam and subscription hole that a lot of times it's actually really nice to get a fresh start and just not worry about your old email. But definitely make sure before you delete the old email account, all of your stuff is migrated over that no nothing is using that old email because account recovery can get really, really painful if you don't have access to the email address that you signed up for a service on. I I have gone through that several times, and it is it is not fun.
So that's definitely the thing to keep in mind, but that's where you can kinda just keep that old email address around for a year, two years, whatever. But start using a new one. Start using email aliases, please. Please. They're they're so they're so nice. If an email alias gets leaked, you just disable it, and you move on with your life. It's it's incredible.
[00:29:11] Unknown:
I, I agree. And I've got some cunt with a strimmer outside my window, so I'm just gonna turn them to fuck off, and then I'll be back. Just two seconds.
[00:29:21] Unknown:
Gotta love livestreams. Alright. The, thank you for your question, Artory. The the next one I wanted to ask was from my list. Seth, I think you briefly touched on this, earlier. But aside from the obvious of storing or generating and storing passwords, most of these password managers on the market can do a little bit more than that. What would be some of the the key kind of tangential features that, the the the good password managers offer a user so that they can kind of further improve their sort of digital life.
[00:29:55] Unknown:
Yeah. I mean, it it definitely varies. I'll just because I use Proton Pass, I'll highlight their things. But a lot of what they do, you can do in Bitwarden and many other password manager options. But the the most important ones for me are secure notes where you can store essentially anything. That could be, like, driver's license number. That could be Social Security. Like, things that you need but you want to make sure are secure, you can do in in just notes so you have general text. You can use file upload to be able to keep, and I'm not necessarily recommending this for everybody, but just as an option, you could use it to keep, like, your private GPG key or a private SSH key that you use across devices, on your password manager password manager to make sure that you don't lose it.
And then the one that is very underrated is instead of relying on some browser's credit card autofill, especially if you're not using a good browser, you can do credit cards in Proton. So you could have all of the the details, expiration, the CVV, security code, billing address, all that stuff, and autofill credit cards directly from it as well. So it really becomes, like, a holistic secrets manager rather than just password manager to let you do really a lot of things. So it's it's it's pretty amazing once you kinda get used to it. The other thing that I will add is Bitwarden has this. I don't think Proton does, but I could be wrong.
But you can also use it to send someone else credentials. Actually, Proton can do it too. So let's say, like, you share an account with a family member or, you need to to transition an account to someone else. You can send one time links with those credentials in a way that are not revealing those to them in, like, a a text message or a Facebook man like that where you don't want that in the chat history. Like, you don't want Facebook to have those details. You can actually send it via a secure link. I think it's called BitTorrent send. You can also send files that way. And then, Proton, you can send links to specific, credentials, which is is a really, really useful feature that I use often.
[00:32:10] Unknown:
Yeah. I, I also kind of echo exact everything you just said. That secure send is, can be a godsend, for for getting especially from a work perspective if you need to share credentials and things like that. It's, very useful. Alright. So, Max, I hope you've finished killing the strimmer man and back with us now. That's what I'm gonna I, I haven't because, they all had machetes,
[00:32:31] Unknown:
and, I didn't wanna get too leery, but, they have stopped. So That's probably a wise idea. Alright. Yeah. Final
[00:32:38] Unknown:
final question on my list before we dive into the the specifics of some of the tools. Most browsers these days, doesn't matter whether it's on mobile or desktop, always have that really annoying pop up. They're like, ah, we see you typed in a password. Do you want me to save that for you? What's the pros and cons of that? Do you advise people to do that? Do you guys do that? Obviously, don't answer that if you're not comfortable with doing that. And and how does that compare with, a separate password manager, which is kinda like a standalone application. Max, I'll kick it to you first.
[00:33:12] Unknown:
Yeah. I don't know the technical reasons, but I just wouldn't trust Google or whoever in a browser to store my data. But saying that, I would use Proton, the little widget or whatever you call it, that then does the same thing and pops up in the browser for me. I use that. So, I think I'm guessing the difference is that the data obviously is gonna be stored by Proton rather than being stored by Google, and that's why I'm worried because I don't trust Google.
[00:33:53] Unknown:
Yeah. The the biggest thing here is digging a little bit deeper, which is what browser you're using. So I would say, like, if you're using, for instance, Brave, if you generally only use Brave to log into things, I think it's fine. But the real reason why I don't use browser password managers, like, the the built in browser password managers is because I log into things a lot of different ways. I log into apps. I log into things on my phone. It's not always in the browser itself, and, usually, like, getting those credentials out of the browser is a pain in the butt when I need to use them somewhere else. You also lose all the additional functionality that we talked about. You don't have secure notes. You do have a credit card autofill, but it's just not it's not as fully featured, and it's not really built to be portable for you to use it to log in elsewhere.
And so to me, it's not really that helpful. I would say, like, if you're using a good browser, if, again, if the option is you use the built in password manager or you just use the same password everywhere, like, just, yeah, use the built in password manager, that's still gonna be better than the alternative. But for me, the the, like, the the functionality and the portability of using something like a proton pass or a bitwarden is much, much better than using the built in browser one. And I will just add kind of as a, like, you can just disable the built in browser, password manager and credential storage so that it doesn't always prompt you for that. Like, that's something I've seen some people. They use a password manager, but they don't disable the built in browser one. And so you get, like, double overlays, and it it annoys me. So you can definitely, disable that so that you're not constantly getting prompted by the browser when you're actually using a different, password manager.
[00:35:38] Unknown:
Yeah. Good quick, follow-up from Vibrant here. He said if, you know, if you were using the browser one, how how would you sync that? Is that even possible? Can you sync that across devices? Presumably, yes. You can if you're using, say, Firefox on the on on a desktop and on your phone or or vice versa. Is that a thing?
[00:36:01] Unknown:
It is. Like, Brave has their own sync that uses a, like, a 24 word seed phrase, basically, to to authenticate. So you can sync across devices, and you can sync all that data. But, But, again, it only syncs in the browser. You're not, like, getting access to it for when you need to log in to the Twitter app, for instance. You can't autofill from your braved. It doesn't work. So you'll you'll have to, like, somehow copy and paste that out and stuff. But you can sync it across devices with the BraveSync, whatever the Firefox version of that is. Braves does good. Like, I use BraveSync, but I don't use them for credentials, for the reasons I mentioned before. But there is cross device sync, but it just doesn't it doesn't hit all the same, useful things that I I like from other other solutions.
[00:36:47] Unknown:
Mhmm. Alright. Noted. Okay. Alright. Let's, let's let's take a look at the tools that are available. Again, I'm sure some of the audience here will have some strong opinions, so I really want you guys to to drop your your favorites, your least favorites, your critiques of the various different ones that we're about to talk about into the chat and and let us know, you know, which ones you choose and why. There's I'm gonna leave it pretty open and hand it to you first, Max. But some of the options that are on the market, the the kind of common ones, you know, Apple's got their own password. App now, I'm sure Google has the same. We've got Bitwarden. We've got 1Password, Proton Pass, LastPass, KeePass.
One that came up in my research that I've never heard of but apparently is quite popular called Dashlane. Like, what's your take on these? Do you have any ones that you categorically won't use? If so, why? And if you do use one, you know, what what's your favorite, and why have you kind of liked that experience?
[00:37:44] Unknown:
Okay. I've used Apple. Like, they're built in one that just syncs across devices, and it's pretty good. I've not really had any issues with it. I don't know how much I trust it. I don't use it for all passwords, like extremely sensitive stuff I wouldn't use. But for just general stuff, I I think it's pretty decent. I've used Bitwarden, and I did set that up years ago, but I was using that and two factor with a little, key. And it was the same time I was, like, just starting to try and build my first node and trying to do all this stuff that was way above my head, and it was all at the same time and it was all too much. So I just stopped using it. But it was alright.
Pax, the technical genius. You're damn right, mate. Stop using that. Not use one pass. Proton pass, I use, and I can't say a bad word about it. Again, I don't know technically if it's the most secure, but in terms of usability, it's really, really good, especially when you have the, little thing in the browser that just pops up when I need to go into, different websites. It's really, really clean. And because I already pay for their whatever subscription service and get all the other stuff, it's included anyway. So, that is what I tend to use. And I think, except for Apple, both Bitwarden and Proton Pass, which are the two that I have some experience with, are both open source.
So the other ones mentioned, many of those are closed source, and I don't think I would wanna use it because I don't see the need when there's other good open source options.
[00:39:32] Unknown:
I think that's a a a fair summarization. Yeah. To to my knowledge, both LastPass and one password are both closed source, which kind of just wipes them off my list immediately before, you know, you even start to look at features. Again, correct me if I'm wrong here, audience, but I'm almost certain that those two are both, are both completely closed source. And I believe also Dashlane, which, again, I didn't hear about until I started doing the research for this show. That's also closed source, which, you know, wipes it off my my radar immediately. The two that I have, the the most experience with, it won't be a surprise to you, is, is Bitwarden, and Proton Pass.
From a feature perspective, at least in in my experience, pretty, pretty, on par. I only ever used the free version of Bitwarden, and it serviced all of my needs. And then when I became a a paying Proton customer for all of the various, you know, aspects of their suite, I also started to use their their password manager when that came out. I believe it was earlier this year. It's not actually been around all that long or maybe maybe it was last year. Who knows? But, yeah, that's been very robust for me. I've got it on my phone. I've got it on my both of my laptops. And, again, the the automatic encrypted sync, just works seamlessly. Autofill is fantastic. And, I do also use some of the additional features that, Seth alluded to earlier with, you know, like encrypted notes and credentials and card details, which again, you know, you could argue is maybe, a a trade off too large for some people.
But I'm trying to just trying to spot find that kind of balance between usability and, you know, ease of, like, keeping my certain credit card credentials online so I can pay for things quickly, etcetera. You you know, just having it in that kind of siloed encrypted and open source ecosystem just gives me that little bit more peace of mind that, you know, my my credit card details aren't gonna get leaked yet again. Obviously, that doesn't, prevent the leak from happening if I'm putting it into a an owned website. But, you know, it's a start, and I'm doing what I can from as a user to to kind of secure that data. So personally, very, very happy Proton user.
Before I hand it over to Sesh, just wanna remind the listeners, let us know what you're using. You know, what do you like? What do you not like? Key to hear, you know, what the general consensus is among the misfits as to which is the most popular. It seems like we've got two votes for Proton already in in Max and myself. So, Seth, over to you. What's, what's your, your go to?
[00:42:05] Unknown:
Yeah. I mean, I I briefly touched on it earlier, but, I mean, the the most important things to me are, is it end end encrypted? Is it portable? So can I get things out of it if I need to? And then is it open source? Any solution that I'm gonna use has to check all through those boxes. If it does, I think then it really just comes down to user preference. Like, Like, I know some people prefer a bit worn approach to things. Some people for prefer a proton pass. There are some other options. I know KeePass is one that a lot of people prefer. It's a bit more hardcore. But I really when I think about this, I'd say, what sir what solves those three things? And then what's the most user friendly beyond that? Because if it's user friendly, I'm gonna use it more, and I'm gonna be able to onboard more people to using it as well. Because, really, these are something that should be this should be a tool that everyone uses, like, not just tech savvy people. Like, honestly, the people who need it most are the non tech savvy people.
So it needs to be really user friendly as well. But, those options, like, really, I think you can't go wrong with Proton Pass or Bitwarden, though they're absolutely fantastic. And then KeePass, if you want the more hardcore one, I know you have PearPass on here, which is the, like, from the Keat the people behind Keat who are associated with Tether. It's gonna be as, like, a kind of, like, peer to peer encrypted sync. So you'll be syncing your secrets directly between your devices without using a server, which is quite cool. So I'll definitely be keeping an eye on how that how that is, how user friendly it is.
But those are kinda my key guidelines. Like, the the thing that is absolutely a non starter is please don't use a closed source, password manager because you have no clue what that company is doing, what approaches they're using to encryption. And something really interesting that I wanna highlight, like, we have LastPass on here, something that happened and has continued to happen is they had a hack in 2022 where it came to light that, hackers had accessed their database of encrypted password vaults. In theory, that would be fine, but LastPass had not been implementing, key stretching properly, which basically just means that those encrypted copies of password vaults were not properly secured and forced users to use the right manage the the the right password creation format, to kinda simplify it.
And it turns out that a lot of people were storing their seed phrases in those vaults that were not properly protected. And so there's been hundreds of millions of dollars of theft, from those vaults being stolen because people were keeping seed phrases in there, which is generally not a good idea. I I am of the mind that that's actually fine for hot wallets as long as you're using a good password manager, but it is definitely not somewhere you should put your, like, life savings. And even with hot wallets, there there are better solutions these days like BIP 85 where you could use, like, passport and use BIP 85 to do your your hot wallet seed phrases so they stay on passport, but you can still access them when you need them. But, yeah, that's an example of, like, something where if a company isn't really cautious or they don't care much about something, it can be problematic.
And LastPass, as far as I understand it, their clients are open source, but the server and how they run things is not open source, which is not not gonna fly. So definitely stay away from closed source whenever possible, and just kind of as well before. But I would say, basically, Bitwarden and Proton pass. Pick either one. Both are fantastic.
[00:45:35] Unknown:
Just a little bit off topic. But for some reason, on Twitter, we still have last week's, title, Google free with Graphene OS. I don't know why.
[00:45:49] Unknown:
Yeah. If, if you're paying attention in our private chat on Restream, Seth mentioned that about forty five minutes ago. Now I have no idea why it's done that. I only have one place on Restream to give the the overall stream, a title. It's right. So I I have no idea why it's not updated. But, yeah, clearly we're not talking Elon. We're not talking about GraphiNoise specifically today. But, yeah. Alright. Lots of, Nosta not of Nosta. Lots of, Proton Pass funds in the Nostichat as well. We've got Nostigang. We've got Bon, SPA, all the use in Proton. So it seems like they've, they've come out the gate fighting with a with a good tool that a lot of the the misfits have jumped on straight away because, as I say, it's it's definitely one of the newer ones that's on the market compared to, some of the other ones that we've mentioned.
Quick shout to x t x, hashtag free samurai who's up to a thousand sats over on Nossa as well. Thank you very much. Thank you. And, a quick comment on YouTube that, Thor Odinson made a comment. He said, don't worry, Kyu. You'll have all your data in in your UK government digital ID. Yeah. That that feels like a a topic for its own show there. Not a great day to be, or or another great another day that's not great to be a Brit. Yeah. Bond says my buddy is still on LastPass despite the hack and being close sourced. The mental and time switch keeps him there.
Yeah. That's, well, I guess you could argue that, you know, if if they've had a hack that bad that they've probably, you know, pulled their big boy pants on and and fixed it. But, yeah, that would be enough to, to make me switch. BTC wrestles mentioned that the the title is wrong on YouTube as well. So that indicates that it's probably not a Twitter problem. It's probably a me problem. So, yeah, you can throw your abuse at me, and I'll see what happens, happen afterwards. But hope, at least on YouTube, we can change it after the fact. I don't know whether we can on Twitter. But, Well, we can change it on our ungovernable stream as well. It will go in the feed. So it's fine. We we can indeed. Indeed.
Yeah. Interesting. You mentioned about that, Pear Pass, Seth. Orange Surf actually messaged me on signal this morning and and threw this one, onto my radar. It's not one I've heard before. So if I understand correctly, and, again, I've done the grand total of about 30 research on it by clicking a link that you sent me. But does it essentially operate in a similar way, but rather than there being a single centralized server with, Bitwarden or with, Proton Pass, it essentially just kind of shards all your information in an encrypted format and just stores it with all of the various different peers on the that network.
Thank you for dropping the link in Twitter, by the way, for context. That's very useful. Yeah. Is is is that what it does? It kinda splits it up and then you can just reconstitute it from the various different peers thereafter, or have I just completely butchered that?
[00:48:43] Unknown:
No. I think you nailed it. I actually did not know that that's how it worked. I thought it was a a key has a thing called punch hole, I think, where it it lets you connect to peers directly despite firewalls or NATs, that sort of thing. So I thought it worked that way, but I actually just linked as well in the chat, the explainer that says how apps like key and pair pass, stay resilient, and private potentially is what it looks like where it it chops everything into fragments to distribute across this peer to peer network. Those so you can't see any of the content. You download fragments. You reassemble it locally, and then, you can get that even if the the person or the other device that sent that data originally isn't online. So it allows you to do peer to peer, but actually to have, to do it in a way that's async. It doesn't require both devices to be online all the time.
[00:49:33] Unknown:
Very cool. Looking forward to that one. That's not out yet. Right? It's not not a thing. But we'll Paolo
[00:49:39] Unknown:
said on September 17, this is about ten days ago, he said that it's in testing and soon available open source, and that it will be in both app stores. But as far as I know, that hasn't happened yet.
[00:49:52] Unknown:
Okay. Cool. Want to keep an eye on. Max, gonna throw this to to you first because I know Seth has some very strong opinions on this one. But, b t c wrestled mentioned in the YouTube chat that, he uses Vault warden slash bit warden, because you can self host it on start nine. What's your take on that? Is that something that you've ever, considered self hosting your your own password manager? Feels like, yeah, you could be lighting a very big bomb under your life if you get it wrong.
[00:50:20] Unknown:
Yeah. For me, knowing my technical skills, there are just certain things that I won't self host. The things that are really, really important to me, like, family photos, just not fucking touching it. No chance. No way. I I don't trust myself at all. They're just as important to me, if not more than my SATs, and so that's not happening. Passwords, again, like, getting locked out of all your accounts and not being able to use any of the stuff that you set up over the last decade would be really fucking annoying, and it would be exactly the sort of thing that would happen to me, and it would be exactly the wrong time where I couldn't then fix my laptop running in a different country to try, you know, self hosting it. Just no. It's not for me. I'm not saying it's not for other people. If you're really, really technical, and you really know what you're doing and you have some sort of built in redundancy and you just know your shit, then great. Cool. But not for me. No way.
[00:51:28] Unknown:
Seth, I guess it's just the cosign that message from you.
[00:51:33] Unknown:
Yeah. It's yeah. I mean, I think I touched on this for family photos last week, but it's just this idea of, like, man, there's so much that I have to worry about. I really don't wanna be the person who's responsible for all of my access, much less, like, then it also be my wife's access. Am I also gonna be an uncle Jim and keep all of my other friends' passwords? What happens when my server dies and everyone loses everything and everyone cries? Like, I I don't I don't want that. And the the only real pro is that in this wild scenario that, like, Proton gets hacked and their databases get leaked, Also, somehow, all of their encryption was bad, and then the the secrets are leaked.
That scenario is, like, so wildly unlikely. Well, the scenario of, oh, you were using a mini PC that had one SSD, and it failed, and you lost everything is much higher. The the one caveat I will say with password managers versus something like family photos is that every good password manager I know keeps a local cache of everything. So, like, if you're using Vault Warden, but you have Bitwarden on three different devices, each device will have whatever the latest state it has locally on the device. So even if your Vault Warden dies, in theory, you should have those secrets still on those devices. Yeah. So it's better than the situation of, like, family photos where your phone's probably auto deleting things to save storage or something. So the only copy would be on your server.
So it's it's not a terrible idea. It's just one of those things where, like, to me, the juice is not worth the squeeze. It's an extra thing I have to host, an extra thing I have to worry about, an extra thing my family complains when it's down. Like, it's just not there's not much benefit to me, but it is better than, like, family photos or something like that if you're not a super tech savvy person.
[00:53:22] Unknown:
When I spoke to Matt Hill, from Start nine, maybe a year ago, he came on the show, we we'd covered this topic specifically, and he was saying it's only just for him, a time where he's starting to host his own family photos. And his setup that he went through with me sounded like it had extreme redundancy and things in different locations and backups on backups, and it sounded pretty complicated. And he was like, I'm only just starting getting comfortable with it. And I was like, he's probably slightly more technical than me. So, that was at the point where I said I'm not even gonna bother looking at this.
[00:54:08] Unknown:
Yeah. Again, I I cosign. I did try it once, but, I guess I was just worried that, like you say, what happens if it all goes wrong? With with, like, the bit more than side of things, I think it's I'm glad you pointed that out, Seth, that it is not necessarily that you lose everything if the server goes down. You just lose, like, any updates that have happened or any sync, state sync that would have taken place after the server went down. So it's it's not like you're gonna lose access to everything because of that local cache that you have. But, again, like, that, man, when you have kids and shit like that, it's just one thing too far to worry about. So, you know, end to end encrypted open source is is like a fine trade off for me to to not have to worry about all that sort of stuff.
We had a another question from Orange Surf who messaged me on signal this morning. We may or may not have touched this, but, Max, I'll I'll give it to you first. Are there any passwords that you wouldn't trust your password manager aside from Bitcoin seeds, which, you know, Seth briefly mentioned the kind of the trade off model there? But in your digital world, is there anything that you specifically don't put into a password manager? If yes, why?
[00:55:16] Unknown:
Yeah. There's a couple of things, like logins to get into my start nine. I don't put in logins to get into my router when I had it properly set up with a Flint two and all that kind of stuff. Just a couple of basic things that I was fine to have in writing locked away in a safe which needed physical access, and I didn't need to use very often. It was only like, ah, fuck. My route has gone down again or like, my server's gone down again. Right. Okay. I need to log in. And then I had a really long, disgusting password.
I'd physically type out, but I'd only have to do it, like, once every six months or whenever things break. So that was the only things really. Things where I didn't need constant access, and I really didn't want people getting into.
[00:56:17] Unknown:
I do have one more that I didn't mention yet. The the one other secret that I would in here is if you are an Apple user and you use a protection, which if you are an Apple user, you should be using advanced data protection unless you're stuck in The UK. Sorry. You. If you are using that, you should treat that like a very important seed phrase. Because if you are using advanced data protection and you lose that secret, you lose everything potentially if you forget your password or get locked out of your Apple account for some reason. So I I treat that the same way I would treat a cold storage, fairly wealth kind of one, because I it would be very detrimental to lose that. So that's the only one that I would not store in there because I I also don't want people to access it. But it's like you said, Max. Like, think about, do you actually need this in a master manager? And it's not something you hope to ever need to autofill, but it is something you need to have no matter what. So treating it like a like a like family wealth, cold storage seed phrase is a really good idea. And it it's very similar to a seed phrase as well. So you can you can use a lot of the same tooling and concepts to back it up. Even going so far as to put it on steels is a possibility. So that's that's one.
[00:57:38] Unknown:
Good show.
[00:57:40] Unknown:
Right, guys. We we've got one minute left, so I'm gonna leave the the audience with one controversial question, just to put the the proverbial cat amongst the pigeons. I know that's a very British issue, and most Americans are gonna be like, what the fuck is he talking about? Passphrases in a password manager. Yes or no? Please provide you're working.
[00:58:02] Unknown:
No. Yes.
[00:58:05] Unknown:
Oh, that was the result I wanted. Okay. Got the guys. You've got sixty seconds each. Give us your rationale.
[00:58:11] Unknown:
Go, Max.
[00:58:13] Unknown:
No. I don't understand the password manager encryption well enough to trust it with something as important. I don't need access to it very often, and I prefer to have things in the physical world where I understand them. I'm much better in the physical world than I am in the digital world, so I stick to that.
[00:58:35] Unknown:
My reasoning is if you lose it, you lose all your money. So you want to make sure that you have redundancy for it. It should not be stored with your seed phrase, and, hopefully, you're not storing your at least cold storage seed phrase in a password manager. So it's it keeps them in separate places. And third, it is something that you may need access to on the go, potentially. It depends on exactly how you use pass phrases. I know that the the usage can vary. But for me, the pros of having the redundancy and having it stored separately from your seed phrase without having to have yet another physical location is well worth it to use in a password manager. Because, again, to me, the risk someone finding your seed phrase and also accessing your password manager are so incredibly low. But the risks of you losing your passphrase, which is something that we see all the time, like, we have cake support tickets about this where people don't realize what a seed phrase is or they forget that they have to have that to restore their funds or they just misplace it and lose all their money. That's much more of a problem to me. So I think password managers is right. For most people, it's personal.
[00:59:39] Unknown:
What a great way to sign off the stream. Yeah. We're we're coming up on time already, guys. That was a fun one as always. Appreciate both of your your insights. Really appreciate all of the the people in the Twitter, YouTube, and Nosta chat. We're finally, we're finally able to get that off the ground. Thanks. Special thanks to those that boosted and, so thanks to your questions and and topics ahead of time. As always, we will be back with you the same time next week. If you have suggestions for next week's topic, please hit us up on Twitter or on Nosta with your suggestions. We hope you're the best.
[01:00:19] Unknown:
Thank you for listening to Freedom Tech Friday. To everyone who boosted, asked questions, and participated in the show, we appreciate you all. Make sure to join us next week on Friday at 9AM EST and 2PM London. Thanks to Seth, Max, and Q for keeping it ungovernable. And thank you to Cake Wallet, Foundation, and my NIM box for keeping the ungovernable misfits going. Make sure to check out ungovernablemisfits.com to see mister Crown's incredible skills and artwork. Listen to the other shows in the feed to hear Kareem's world class editing skills.
Thanks to Expatriotic for keeping us up to date with Boost's XMR chats and sending in topics. John, great name and great guy, never change and never stop keeping us up to date with mining news or continuing to grow the mesh to Dell. Finally, a big thanks to the unsung hero, our Canadian overlord short, for trying to keep the ungovernable in check and for the endless work he puts in behind the scenes. We love you all. Stay ungovernable.
Good morning or good afternoon depending on where in the world you are. Welcome to Freedom Tech Friday. For anybody that is new here, I'm just gonna quickly explain what this is all about and why we are here. Freedom Tech Friday is a weekly live and interactive show hosted on the Ingovenable Misfits x, Nosta, and, yes, we are actually live on Nosta, and YouTube feeds. We go live one hour for one hour every Friday at 9AM eastern or 2PM London time. You can also catch up later on the Ungovernable Misfits podcast feed. On Freedom Set Friday, we like to cover the latest news trends for anything relating to Freedom Technologies. That could be anything from Bitcoin and Monero, encrypted messengers, privacy tools, and everything in between.
Essentially, if there's a news item, tool, or topic that can help you take back some control in today's digital panopticon, we want to talk about it. My name is q and a. I'm head of customer experience at Foundation where we build Bitcoin focused sovereignty tools. And as always, I'm joined by my good friends, Max, the head honcho over in the Ungovernable Misfits world, and Seth, who is VP at Cape Boy. As I mentioned, this show is live and interactive, and we rely on you guys to steer us towards the topics that you want us to cover or to send the consent or your Freedom Tech related questions. There's many ways in which you can get involved, all of which really help spread awareness for the show.
You can comment or ask questions in the live chat. You can submit topics or questions before the show on X or Nostra. Boost the show on Fountain or any of the other two podcasting two point o apps. Send questions and tips via Bitcoin and Monero at XMR chat, or just simply share the show on x or Nostra. Big shout out to last week's Baller Booster, mister Rod Palmer from the Bugle, who sent in 10,000 sats and said, GrapheneOS's slogan should be the revolution won't have good UX because it's an adjustment to use. So without further ado, let's dive into the show.
Yeah. Let's dive into the show. Max, sir, how is it going? And I can hear one of you typing, by the way. Oops. That may have been me.
[00:02:05] Unknown:
New keyboard. It's loud. Might I need it? That's the kind of Friday it is. Good morning, gents.
[00:02:14] Unknown:
Max, how are you doing? How are you, struggling with the sniffles over there.
[00:02:18] Unknown:
Yeah. A little bit. I'm alright. Other than that, just excited for today. Very excited. Seth, your, your audio is not great. I don't know why it was before.
[00:02:30] Unknown:
Maybe it's not yep. It is not the right microphone.
[00:02:34] Unknown:
Yeah. Try this now. Maybe if we can there we go. That's nice.
[00:02:38] Unknown:
Listeners, can we get an audio check as well? Are all three of us coming through okay? Please, drop a comment and let us know if you can, hear us all clearly. Look at this. Shout out to the Nosta Gang, people in disbelief that we are actually at live. Oh, boy. Said, yes. I finally don't have to log in to X today, do I? Nosta Gang, Observer, good morning, gentlemen, and, Delta Mike already in there. First to sat with 420 sats. And as I just said that, Bond boosted 2,222 sats. Oh. And then finally, we just added another m pub who has just loaded, mister SPA, Super Far Arrow, who I dubbed, by the way, for those of you that are on, you might have seen this. Super Far Arrow is our time zone correspondent over at Freedom Tech Friday.
He takes great pleasure every single Friday morning to check my, my notes showing the show and double checks that I use the term British summertime rather than, GMT. He's very particular about his time zones, but we appreciate him, calling me out. And, obviously, we also appreciate the 10,021 SAP boost he just sent. Cool. Thank you. I'm happy that we've got the master working, as the resident of the master show. So welcome to everybody in any of the live chats, and thank you for to BTC wrestle, confirming that everybody sounds good. Thanks for changing your mic there, Seth. Alright.
Look at this, guys. It's all working. Can you believe it?
[00:04:03] Unknown:
I can't believe it. I don't know how to watch it in Nosta. I've I'm I'm nostring now, but I have no idea how to see it. But Just go to zap.stream,
[00:04:12] Unknown:
and then it on, free Internet Friday will be one of the the shows. Oh, it wouldn't be in my, like, damus or that thing. It's in primal. You can watch it in primal as well. Can I? Alright. I'll do primal. Can indeed. It should come up as a notification. Anyway, let's get down to business. Today, we are talking about something that, bot basically touches every single one of us. That is passwords. Whether you love them or hate them, they are kinda like the first line of defense for protecting our emails, bank accounts, wallets, basically, apps, anything that you know, every single corner of our online lives.
In doing, a bit of research for the show, I found a couple of scary facts. According to a Google survey, 65% of people admit to reusing the same password across multiple sites. And, of course, that is just the ones that are willing to admit it. I'm sure that the real number is, probably much higher. Obviously, that means that if just one of those sites were to get hacked, and let's be honest, these types of breaches happen every single day, unfortunately. An an attacker can walk straight into multiple of your account if you're reusing the same password. So Yeah. Not a great situation to be in. In 2024 alone, over 5,000,000,000 unique credentials were found circulating on the dark web after major breaches. And, yes, that is billions with a b, not with an f.
Now think about this. The average Internet user has, I would gonna say, at least 20 different online accounts for all of their different kind of well, all aspects of their digital life, essentially. So it's kinda like no wonder that some people, particularly those that are less digitally native, I guess, will default to to weak passwords that they can memorize so that they can just manually type it into each of the new services that they they sign up to. But, thankfully, well yeah. And they do that because there's simply no way to remember, you know, loads of different complex unique logins. Even if you're a kind of low footprint digital user and you've got maybe, I don't know, five to 10 accounts, memorizing a different password for each of those services is unfeasible for most people. I'm sure there's some autistic people out there that may try to do that, but probably not advisable or feasible.
So that is where password managers come in. So, gentlemen, and I'll, I'll give this one to you, Max, first. So if somebody's never heard the term before, and I appreciate that this might be kind of basic for some of the listeners here who are well versed in this, but how would you explain a password manager in the simplest way possible?
[00:06:52] Unknown:
Something that creates and stores passwords for you in a secure way.
[00:07:01] Unknown:
I like that. Any advances on that, Seth?
[00:07:06] Unknown:
Honestly, that's that's nice and simple. The only thing I would add is that nowadays, they can do a lot more as well. So you can do pass keys. You can do, email aliases and many of the good ones. You can do a lot of different things than just generating and storing passwords. The the term has kinda, like, grown rapidly. But at its core, especially for the average person, it's really save your emails, save your passwords for each website, and easily autofill them.
[00:07:32] Unknown:
Alright. So what you mentioned there that a password manager will kind of generate a password for you. Like, how how do they how do they kind of do that for you? Like, what what's the the general flow look like? Like, let's assume I'm I'm a a a Luddite, and I've got my Facebook account, my Instagram account, and my Twitter account, and they're all using password one two three. Like, where do I get from that kind of horrible world to, you know, having a password manager and then, you know, this magical piece of software kind of doing all of the stuff for me, and it, like, gives me a new password? Is that right? Do I just go and change it? Like, what does that look like, and how do I know that they're kind of giving me secure passwords, I guess?
[00:08:14] Unknown:
Yeah. I mean, on the on the security, I think the most important thing is not just using, like, any old random password manager, but using one that's that's well vetted, that's free and open source software specifically, because you wanna make the actual implementation of their security is sound and reviewed by many people. Like, there have been many cases in the past of password managers doing something incorrectly with passwords and people getting wrecked as a result. So really using something dependable. We can obviously get into specifics later on of which ones we recommend. But, the like, as for how it works, the the really nice thing is if you're using a good password manager on your phone or on a browser as a browser extension, it can autofill and autogenerate a new password and autofill your email for you. So, generally, like, if you already have a Facebook account, you would just go to your account settings to security, and then you would have an area for changing your password. You enter your old one. And then in the new password field, usually your password manager will just automatically prompt to generate a secure password and all are you in both the new password and the confirm new password field.
So you generally don't even have to copy and paste it. That does depend. Like, if you, for some reason, don't like browser extensions and you wanna just use, like, the desktop app or something like that, maybe you can't autofill it, and maybe you have to copy and paste it out. But, generally, yeah, it'll just autofill it for you, and then you're off to the races. I think the thing that a lot of people don't realize until they start using password manager is it's one of the best quality of life improvements, like, in the digital world you could ever do because you you don't need to worry about remembering passwords, and you don't even have to worry about typing them in. Normally, you can just autofill them instantly securely when you go to the website that you need them on.
So it's it's surprisingly easy, but it is one of those things that you should not try to do, like, every account under the sun the day you get a password manager. You'll burn yourself out. But my kind of advice generally is just, like, go one account at a time. When you go to Facebook, change the password there. The next time you open Instagram, change the password there. Like, each time you open a new service, just take two minutes and change the password and slowly migrate all of your passwords to your password manager that way to to new secure passwords.
[00:10:33] Unknown:
Yeah. I think that kind of slow switch from from one world into the other is is great advice and something that's applicable to most of the tools and techniques that we talk about on Freedom Tech Friday, I guess, rather than trying to kinda dive in and change your entire digital life over the course of, you know, a single day. It's gonna be, quite difficult. I believe I'm getting an an echo. Thank you for letting me know, Seth. I'll have a play around, and maybe move some stuff around. But, hopefully, it's not too detrimental. Okay. Next question.
A a lot of people kind of are unsure when they start using this type of tool like a password manager where they are fearful that that I guess the saying goes, you know, I don't wanna put all my eggs in one basket. Like, you know, this one thing now seems like it was, like a single point of failure. And if something happens to this password manager, and, again, they all operate slightly differently. We're gonna dive into the the different pros and cons of those afterwards. But, like, what what happens, like, like, if something happens to to the to that single password manager, like, presumably, my entire digital life is is owned by what protections are there? Where are the passwords stored? Like, how would you you answer those sorts of questions and fears that people have?
[00:11:48] Unknown:
Yeah. I mean, biggest thing to remember I didn't mention the last one. Just, like, make sure that you use a good open source password manager. One of the reasons for that is so that if that password manager goes away, you could still have access to the actual apps, to historical apps. Someone else could take over maintaining it if necessary. Like, it gives you a lot more flexibility in the future if, like, let's say, you use Bitwarden and Bitwarden shuts down as a company. Someone could continue maintaining the clients themselves so you could keep access to everything. But when it comes to, like, actual security, of your passwords, That's where the important kind of like when you we're talking about, like, Bitcoin security.
You're gonna have one key that's most important to remember and to write down and to save securely, and that's gonna be the master password for your entire, for your entire password manager. So you'll have, like let's say you use, Proton Pass. You'll have your Proton Pass email and then your Proton Pass account password. That you can store it in your password manager if you want to autofill for other things, but but, obviously, you can't autofill something for your password manager if you can't log in. So you are gonna need to make sure that that's a securely generated, very long, very complex word that you keep safe. Probably keep it in the same place as you keep your, like, Bitcoin seed phrase or something.
Because like you said, if someone gets access to your password manager, then they get access to all of your online accounts, which is a bit terrifying. But the one additional measure you can add is, obviously, you should use two factor auth for getting into your password manager. So something like, two factor token in an app like Proton auth or something like that. And then on all of the websites you do, an additional step that would be good is using two factor auth there. And I generally recommend keeping your two factor authentication not in the same password manager password manager as all of your passwords.
I know that they all can do that today. Like, with Proton Pass, you can do all your two factor tokens in Proton Pass. But I personally like keeping two factor tokens separated from my passwords so that if my Proton account got pwned, all of my passwords maybe could be had by somebody, but they wouldn't have any of the two factor tokens. And so they wouldn't actually be able to get into any of my logins unless they had me or my, like, device where I keep these tokens on. So those are the main protections you have, but it's really keeping that master password or the login for the password manager itself really secure, offline, that sort of thing.
[00:14:17] Unknown:
Is it really two factor if it's in the same place? Like, it seems a bit like sort of storing it 24 words and then a passphrase together. It's kind of like they're separate, but they're not really.
[00:14:29] Unknown:
I think the difference here is that unlike, like, a a Bitcoin seed where no one's guessing your seed phrase, with a password, in theory, they could get it. So let's say for instant, you're using a really old password, but you do have two factor off, and you keep both of them within the same proton pass. Let's say not the different threat model, your your proton pass does not get pwned, but the person guesses the email and password because it's a it's something that's been leaked in the dark web, whatever, they still don't have the two factor. So it's really different kind of threat vectors. Like, if you're worried more about I don't I'll clarify it this way. If it's between you using two factor and not using two factor by either keeping everything together or trying to keep things separate, it would be better to keep everything together and use two factor on all your accounts and not use two factor off.
But I think if you're willing to do that ex little bit extra step and use a separate authenticator, I think that is the better solution for most people, but it does cut down on the convenience just a little bit.
[00:15:37] Unknown:
Okay. Makes sense.
[00:15:40] Unknown:
Yeah. Good good call out there. I found the echo, by the way, guys. My it was my phone playing our stream on Primal on my phone, so apologies for that fix now. Thank you for letting me know. Alright. We have a question from, our time zone correspondent. I'm gonna put it up on screen now. It was one I was gonna ask myself later, but given that he's asked it now, I wanna let you guys chime in. We we are talking about passwords here, but something that's become quite prominent in in recent years. Specifically, I I believe Apple might have been the kind of, the driving force here, around the concept of passkeys.
So could one of you outline the you know, why where would I use a passkey versus a password and maybe kick off by, I guess, outlining the differences, first and foremost and then maybe the the difference in application thereafter?
[00:16:35] Unknown:
One of us can. It's not me. Surprise. Surprise.
[00:16:42] Unknown:
I I am definitely not the foremost authority on this, so I won't go too in-depth on, like, what passkeys are. The the the TLDR is that the idea behind passkeys was that be bad at password management that instead of having them do a username and password on every website that they use, we'll instead use a a unique, essentially, private public key pair for each login, and we'll store that safely on the device. And we'll use that instead so that there's no password management necessary. In theory, it's an interesting idea. It's something that has not taken off really as well as I expected it to, and so I haven't literally done a deep dive into it. As far as security goes, it's really well thought out. It's very, complex from a security perspective. It's a it's a cool concept. But for me, actually, like, trying to use it most places, it's it doesn't work super well. And I've noticed if you're not doing, like, pass keys in iCloud key chain, for instance, on Apple, but you're trying to do them in something like Proton pass, I've had a lot of problems where I just, like, I I literally can't use, pass keys properly. Because, like, I'll try I'll be using Brave, and I'll try to use a pass key, but it'll give me a QR code to scan, which doesn't work because I don't I don't know what am I scanning this QR code with? I don't I don't have that passkey on some other device. It it gets a little weird, in many cases if you're not using that kind of, like, first party Apple specific passkey thing.
The other main problem that I have with passkeys is that depending on the implementation, they're sometimes not portable. So, like, Apple, I don't believe you can get your passkeys out of iCloud keychain into something else. So as long as you have your your Apple account or the device that they're on, like, you you can get into those accounts, but they're not as portable as just a generic password is. And then the third thing that's the main downside is just that most websites still don't support them. So you're gonna be stuck with a mix of passkeys and passwords, which is, to me, just a little more frustrating. So, like, I've I've dabbled with it a little bit.
Adoption is more broad. Maybe we'll swing back into it. But, honestly, I don't I don't think that the benefits are worth the kind of user experience trade offs today, when I can just use securely generated passwords and a password manager that autofills it. Like, to me, the the actual user experience is the same. Autofilling a password from a browser extension versus auto filling a passkey from a browser extension. Like, it doesn't help me at all.
[00:19:12] Unknown:
That was kind of the the conclusion that I drew was that it it it's still something that you have to kind of keep and and fill in, so to speak. If I understand correctly, the passkeys are more of a, like, a a a private public key pair arrange arrangement where so, like, log in with a passkey, you're providing, like, a proof or a signature, I guess, with the the key the the private key that lives on your phone or or wherever you store it rather than typing something into a a browser and and that then being compared to a hash in a table, I guess. But that like you say, from from a user perspective, it it's not that indifferent really. Before we move off passkeys, a a follow-up question for you, Seth, and I generally don't know the answer to this is for my own curiosity.
When you use passkeys, do do you just have a single passkey that gets reused because it is like a a signature type relationship rather than it being a a a kind of secret that you prove ownership of? Or is it that you have a different passkey for each login that you choose to use a passkey with?
[00:20:12] Unknown:
I believe it's a unique passkey for each login. And one one additional thing I'll throw out there. One core benefit of pass keys is, let's say, you use a pass key on amazon.com. Amazon.com gets pwned. If you were using a password, that password would be revealed, and anyone could log in to your Amazon account if you didn't have two factor. Pass keys don't work like that. So that is a huge benefit to them that I should have mentioned, where if someone gets amazon.com's database of users but you're only using a pass key, they can't actually get into your account because they don't have a key. It's it moves away from this idea of just giving your private key to a third party as the way to authenticate yourself and does it in a a much smarter way. So the again, the idea is really interesting. In practice, it hasn't been amazing for me. Something that's that's cool, and I do hope that it takes off. And I'm specifically, like, hopeful that more password managers implement pass keys so that you can have those in the same place rather than having to do, like, pass keys in Apple and then not being able to have them in Bitward or something like that. Proton pass does have them, like I mentioned, but actually but it could be user error.
[00:21:19] Unknown:
Nice. I'm actually glad you you said something there because I just wanna point a clarification. You mentioned the scenario where Amazon servers would be pwned and, you know, a password leaked. Would it not be a a hash of the user's password, not not the password itself? Presumably, they're not stored user passwords in plain text. I mean, theoretically, Amazon surely would be doing it right, but the the reason, like you mentioned, there were 5,000,000,000 credentials
[00:21:42] Unknown:
on, like it's because most websites or or I shouldn't say most websites, many websites don't properly store user credentials. And even if they do, often they accidentally make a mistake somewhere and the the hash itself is able to be, like, the password itself is able to be decrypted or broken, if they did the salt incorrectly. There's a lot of things that have happened where you can actually get the user credentials. But, yes, in theory, amazon.com's database would not just have plain text passwords.
[00:22:11] Unknown:
Mhmm. Okay. And that gives me a nice segue into the next question of let's assume, a user is using a a password magic. Doesn't matter which one. If that service has a breach so let's say, Bitwarden. If they have a breach or Proton has a breach, and their central server where the the passwords or the hashes of the passwords or that data is being stored, what would an attacker learn? Like, is it is it game over? Do they learn some hashes and they've gotta go and do some extra work? I'm sure there's probably gonna be some nuances in the different approaches here, but, like, generally speaking, what's the the outcome there in theory that, you know, Bitwarden gets pwned?
[00:22:52] Unknown:
So that's this is the the beautiful thing about if you're relying on a password manager that is intent encrypted by default is that there is no decryptable information on pass on Proton servers, on Bitwarden servers, etcetera, unless they have your account credentials themselves. Like, if they don't have your Proton account, they can't get anything out of the information stored on Proton servers, and they're using all the same, like, industry standards they're using for for your email, all all of the other things that they do. So that that is a a really good benefit of those as I like, I wouldn't really be concerned about that because they're they're designed specifically to not be storing that info in plain text or in any format that's usable on servers.
I mean, this is where, like, if you want to go above and beyond, you could you can do, like, local only password manager, something like KeePass. It is greatly going to increase the user experience hurdle. Like, the pain of actually going through everything is going to be greater. And then you also need to implement backups because you need to make sure that you don't lose those secrets or you're gonna have a really bad time. So it adds a lot of complexity if you don't rely on that. But that's where, like and I know I've talked about this before. Like, I think the risks of them getting something out of a password a a Proton server, for instance, are just essentially nil.
Whereas the risks of you accidentally deleting your key pass database or your MacBook flying out the window of your car or something, and you're just losing everything are much greater. So, usually, the pros outweigh the cons of using something like that, and Proton knows what they're doing when it comes to encryption.
[00:24:41] Unknown:
Alright. Awesome. We've got a comment from the Twitter live chat from Artory here, which is another one that I had in later in my list. Is it worth it to not keep your password to your main email or Google or iCloud account in a password manager? I guess I can probably tackle that one. I personally would. I don't see a reason not to kind of do that really. I I guess if you're using that email for kind of, like, email based two FA and stuff like that, then maybe some segregation there could be, I guess, a minor benefit. But for most people, again, I would say that the pros far outweigh the the cons here and and that just keeping it as simple as you can and just having it all be in that main password manager behind the, you know, that master password, assuming that that is secure, that there's no reason not to here. But I'm I'm open open it up to the room here to see if, there's something that I'm overlooking.
[00:25:38] Unknown:
Not that I can see in sorry, sir. No. No. Go Max. Go Max. I was just gonna say not that I can see if you trust your password manager and if it's open source and everything else. I can't personally see a reason unless, like you say, using it for two FA or anything like that. Sounds like Seth's got some ideas on there. But before he does that, I was also thinking, like, we were talking about or in the chat, there was have I been pwned and all these different things where you can search, to see if there's been a leak on, like, old email addresses and passwords and things like that. And so for people who have previously had emails that may have been leaked, like data breaches or things like that, is there a simple solution?
Say they switch across to something like Proton and they start using a new email and password manager and everything else and trying to do some something properly going forward, is there an easy way to, like, download and copy all of the emails that they previously had? Because often that's like a way to store information that you might need to go back to for whatever reason. Is there a way to do that and not lose all that information across your old emails and then move to a new one, but make sure that the people that would have otherwise contacted you that you need to speak to still can?
[00:27:14] Unknown:
I I think that the easiest way to do this, like I don't know. It gets a little tricky. Like, if you're using Gmail, really a good solution. Like, you you kinda would just have to get a new email address. But if you're using something like, say, Proton, what would be really easy is just using aliases from that point forward. Still get to keep all of your other stuff. You can actually, in theory, disable specific email addresses, although I'm not sure if, like, you don't use a custom domain, if you can disable your protonmail.com ones or not. That's actually something I would have to double check on. But, I think for the most part, if you've had, like, an email address leaked in one of those hacks honestly, the easiest thing is probably just kind of moving on from that, creating a new a new account on something like Proton or Tuda and just keeping the old one just in case for as long as you need. This is what I did when I first kinda went down the privacy rabbit hole, and eventually migrating everything over to the new one. The other side benefit of doing that is, like, let's be honest. If you've had an email for, like, a decade or something, you're signed up for so much garbage, and there's just no hope of digging yourself out of that, like, that spam and subscription hole that a lot of times it's actually really nice to get a fresh start and just not worry about your old email. But definitely make sure before you delete the old email account, all of your stuff is migrated over that no nothing is using that old email because account recovery can get really, really painful if you don't have access to the email address that you signed up for a service on. I I have gone through that several times, and it is it is not fun.
So that's definitely the thing to keep in mind, but that's where you can kinda just keep that old email address around for a year, two years, whatever. But start using a new one. Start using email aliases, please. Please. They're they're so they're so nice. If an email alias gets leaked, you just disable it, and you move on with your life. It's it's incredible.
[00:29:11] Unknown:
I, I agree. And I've got some cunt with a strimmer outside my window, so I'm just gonna turn them to fuck off, and then I'll be back. Just two seconds.
[00:29:21] Unknown:
Gotta love livestreams. Alright. The, thank you for your question, Artory. The the next one I wanted to ask was from my list. Seth, I think you briefly touched on this, earlier. But aside from the obvious of storing or generating and storing passwords, most of these password managers on the market can do a little bit more than that. What would be some of the the key kind of tangential features that, the the the good password managers offer a user so that they can kind of further improve their sort of digital life.
[00:29:55] Unknown:
Yeah. I mean, it it definitely varies. I'll just because I use Proton Pass, I'll highlight their things. But a lot of what they do, you can do in Bitwarden and many other password manager options. But the the most important ones for me are secure notes where you can store essentially anything. That could be, like, driver's license number. That could be Social Security. Like, things that you need but you want to make sure are secure, you can do in in just notes so you have general text. You can use file upload to be able to keep, and I'm not necessarily recommending this for everybody, but just as an option, you could use it to keep, like, your private GPG key or a private SSH key that you use across devices, on your password manager password manager to make sure that you don't lose it.
And then the one that is very underrated is instead of relying on some browser's credit card autofill, especially if you're not using a good browser, you can do credit cards in Proton. So you could have all of the the details, expiration, the CVV, security code, billing address, all that stuff, and autofill credit cards directly from it as well. So it really becomes, like, a holistic secrets manager rather than just password manager to let you do really a lot of things. So it's it's it's pretty amazing once you kinda get used to it. The other thing that I will add is Bitwarden has this. I don't think Proton does, but I could be wrong.
But you can also use it to send someone else credentials. Actually, Proton can do it too. So let's say, like, you share an account with a family member or, you need to to transition an account to someone else. You can send one time links with those credentials in a way that are not revealing those to them in, like, a a text message or a Facebook man like that where you don't want that in the chat history. Like, you don't want Facebook to have those details. You can actually send it via a secure link. I think it's called BitTorrent send. You can also send files that way. And then, Proton, you can send links to specific, credentials, which is is a really, really useful feature that I use often.
[00:32:10] Unknown:
Yeah. I, I also kind of echo exact everything you just said. That secure send is, can be a godsend, for for getting especially from a work perspective if you need to share credentials and things like that. It's, very useful. Alright. So, Max, I hope you've finished killing the strimmer man and back with us now. That's what I'm gonna I, I haven't because, they all had machetes,
[00:32:31] Unknown:
and, I didn't wanna get too leery, but, they have stopped. So That's probably a wise idea. Alright. Yeah. Final
[00:32:38] Unknown:
final question on my list before we dive into the the specifics of some of the tools. Most browsers these days, doesn't matter whether it's on mobile or desktop, always have that really annoying pop up. They're like, ah, we see you typed in a password. Do you want me to save that for you? What's the pros and cons of that? Do you advise people to do that? Do you guys do that? Obviously, don't answer that if you're not comfortable with doing that. And and how does that compare with, a separate password manager, which is kinda like a standalone application. Max, I'll kick it to you first.
[00:33:12] Unknown:
Yeah. I don't know the technical reasons, but I just wouldn't trust Google or whoever in a browser to store my data. But saying that, I would use Proton, the little widget or whatever you call it, that then does the same thing and pops up in the browser for me. I use that. So, I think I'm guessing the difference is that the data obviously is gonna be stored by Proton rather than being stored by Google, and that's why I'm worried because I don't trust Google.
[00:33:53] Unknown:
Yeah. The the biggest thing here is digging a little bit deeper, which is what browser you're using. So I would say, like, if you're using, for instance, Brave, if you generally only use Brave to log into things, I think it's fine. But the real reason why I don't use browser password managers, like, the the built in browser password managers is because I log into things a lot of different ways. I log into apps. I log into things on my phone. It's not always in the browser itself, and, usually, like, getting those credentials out of the browser is a pain in the butt when I need to use them somewhere else. You also lose all the additional functionality that we talked about. You don't have secure notes. You do have a credit card autofill, but it's just not it's not as fully featured, and it's not really built to be portable for you to use it to log in elsewhere.
And so to me, it's not really that helpful. I would say, like, if you're using a good browser, if, again, if the option is you use the built in password manager or you just use the same password everywhere, like, just, yeah, use the built in password manager, that's still gonna be better than the alternative. But for me, the the, like, the the functionality and the portability of using something like a proton pass or a bitwarden is much, much better than using the built in browser one. And I will just add kind of as a, like, you can just disable the built in browser, password manager and credential storage so that it doesn't always prompt you for that. Like, that's something I've seen some people. They use a password manager, but they don't disable the built in browser one. And so you get, like, double overlays, and it it annoys me. So you can definitely, disable that so that you're not constantly getting prompted by the browser when you're actually using a different, password manager.
[00:35:38] Unknown:
Yeah. Good quick, follow-up from Vibrant here. He said if, you know, if you were using the browser one, how how would you sync that? Is that even possible? Can you sync that across devices? Presumably, yes. You can if you're using, say, Firefox on the on on a desktop and on your phone or or vice versa. Is that a thing?
[00:36:01] Unknown:
It is. Like, Brave has their own sync that uses a, like, a 24 word seed phrase, basically, to to authenticate. So you can sync across devices, and you can sync all that data. But, But, again, it only syncs in the browser. You're not, like, getting access to it for when you need to log in to the Twitter app, for instance. You can't autofill from your braved. It doesn't work. So you'll you'll have to, like, somehow copy and paste that out and stuff. But you can sync it across devices with the BraveSync, whatever the Firefox version of that is. Braves does good. Like, I use BraveSync, but I don't use them for credentials, for the reasons I mentioned before. But there is cross device sync, but it just doesn't it doesn't hit all the same, useful things that I I like from other other solutions.
[00:36:47] Unknown:
Mhmm. Alright. Noted. Okay. Alright. Let's, let's let's take a look at the tools that are available. Again, I'm sure some of the audience here will have some strong opinions, so I really want you guys to to drop your your favorites, your least favorites, your critiques of the various different ones that we're about to talk about into the chat and and let us know, you know, which ones you choose and why. There's I'm gonna leave it pretty open and hand it to you first, Max. But some of the options that are on the market, the the kind of common ones, you know, Apple's got their own password. App now, I'm sure Google has the same. We've got Bitwarden. We've got 1Password, Proton Pass, LastPass, KeePass.
One that came up in my research that I've never heard of but apparently is quite popular called Dashlane. Like, what's your take on these? Do you have any ones that you categorically won't use? If so, why? And if you do use one, you know, what what's your favorite, and why have you kind of liked that experience?
[00:37:44] Unknown:
Okay. I've used Apple. Like, they're built in one that just syncs across devices, and it's pretty good. I've not really had any issues with it. I don't know how much I trust it. I don't use it for all passwords, like extremely sensitive stuff I wouldn't use. But for just general stuff, I I think it's pretty decent. I've used Bitwarden, and I did set that up years ago, but I was using that and two factor with a little, key. And it was the same time I was, like, just starting to try and build my first node and trying to do all this stuff that was way above my head, and it was all at the same time and it was all too much. So I just stopped using it. But it was alright.
Pax, the technical genius. You're damn right, mate. Stop using that. Not use one pass. Proton pass, I use, and I can't say a bad word about it. Again, I don't know technically if it's the most secure, but in terms of usability, it's really, really good, especially when you have the, little thing in the browser that just pops up when I need to go into, different websites. It's really, really clean. And because I already pay for their whatever subscription service and get all the other stuff, it's included anyway. So, that is what I tend to use. And I think, except for Apple, both Bitwarden and Proton Pass, which are the two that I have some experience with, are both open source.
So the other ones mentioned, many of those are closed source, and I don't think I would wanna use it because I don't see the need when there's other good open source options.
[00:39:32] Unknown:
I think that's a a a fair summarization. Yeah. To to my knowledge, both LastPass and one password are both closed source, which kind of just wipes them off my list immediately before, you know, you even start to look at features. Again, correct me if I'm wrong here, audience, but I'm almost certain that those two are both, are both completely closed source. And I believe also Dashlane, which, again, I didn't hear about until I started doing the research for this show. That's also closed source, which, you know, wipes it off my my radar immediately. The two that I have, the the most experience with, it won't be a surprise to you, is, is Bitwarden, and Proton Pass.
From a feature perspective, at least in in my experience, pretty, pretty, on par. I only ever used the free version of Bitwarden, and it serviced all of my needs. And then when I became a a paying Proton customer for all of the various, you know, aspects of their suite, I also started to use their their password manager when that came out. I believe it was earlier this year. It's not actually been around all that long or maybe maybe it was last year. Who knows? But, yeah, that's been very robust for me. I've got it on my phone. I've got it on my both of my laptops. And, again, the the automatic encrypted sync, just works seamlessly. Autofill is fantastic. And, I do also use some of the additional features that, Seth alluded to earlier with, you know, like encrypted notes and credentials and card details, which again, you know, you could argue is maybe, a a trade off too large for some people.
But I'm trying to just trying to spot find that kind of balance between usability and, you know, ease of, like, keeping my certain credit card credentials online so I can pay for things quickly, etcetera. You you know, just having it in that kind of siloed encrypted and open source ecosystem just gives me that little bit more peace of mind that, you know, my my credit card details aren't gonna get leaked yet again. Obviously, that doesn't, prevent the leak from happening if I'm putting it into a an owned website. But, you know, it's a start, and I'm doing what I can from as a user to to kind of secure that data. So personally, very, very happy Proton user.
Before I hand it over to Sesh, just wanna remind the listeners, let us know what you're using. You know, what do you like? What do you not like? Key to hear, you know, what the general consensus is among the misfits as to which is the most popular. It seems like we've got two votes for Proton already in in Max and myself. So, Seth, over to you. What's, what's your, your go to?
[00:42:05] Unknown:
Yeah. I mean, I I briefly touched on it earlier, but, I mean, the the most important things to me are, is it end end encrypted? Is it portable? So can I get things out of it if I need to? And then is it open source? Any solution that I'm gonna use has to check all through those boxes. If it does, I think then it really just comes down to user preference. Like, Like, I know some people prefer a bit worn approach to things. Some people for prefer a proton pass. There are some other options. I know KeePass is one that a lot of people prefer. It's a bit more hardcore. But I really when I think about this, I'd say, what sir what solves those three things? And then what's the most user friendly beyond that? Because if it's user friendly, I'm gonna use it more, and I'm gonna be able to onboard more people to using it as well. Because, really, these are something that should be this should be a tool that everyone uses, like, not just tech savvy people. Like, honestly, the people who need it most are the non tech savvy people.
So it needs to be really user friendly as well. But, those options, like, really, I think you can't go wrong with Proton Pass or Bitwarden, though they're absolutely fantastic. And then KeePass, if you want the more hardcore one, I know you have PearPass on here, which is the, like, from the Keat the people behind Keat who are associated with Tether. It's gonna be as, like, a kind of, like, peer to peer encrypted sync. So you'll be syncing your secrets directly between your devices without using a server, which is quite cool. So I'll definitely be keeping an eye on how that how that is, how user friendly it is.
But those are kinda my key guidelines. Like, the the thing that is absolutely a non starter is please don't use a closed source, password manager because you have no clue what that company is doing, what approaches they're using to encryption. And something really interesting that I wanna highlight, like, we have LastPass on here, something that happened and has continued to happen is they had a hack in 2022 where it came to light that, hackers had accessed their database of encrypted password vaults. In theory, that would be fine, but LastPass had not been implementing, key stretching properly, which basically just means that those encrypted copies of password vaults were not properly secured and forced users to use the right manage the the the right password creation format, to kinda simplify it.
And it turns out that a lot of people were storing their seed phrases in those vaults that were not properly protected. And so there's been hundreds of millions of dollars of theft, from those vaults being stolen because people were keeping seed phrases in there, which is generally not a good idea. I I am of the mind that that's actually fine for hot wallets as long as you're using a good password manager, but it is definitely not somewhere you should put your, like, life savings. And even with hot wallets, there there are better solutions these days like BIP 85 where you could use, like, passport and use BIP 85 to do your your hot wallet seed phrases so they stay on passport, but you can still access them when you need them. But, yeah, that's an example of, like, something where if a company isn't really cautious or they don't care much about something, it can be problematic.
And LastPass, as far as I understand it, their clients are open source, but the server and how they run things is not open source, which is not not gonna fly. So definitely stay away from closed source whenever possible, and just kind of as well before. But I would say, basically, Bitwarden and Proton pass. Pick either one. Both are fantastic.
[00:45:35] Unknown:
Just a little bit off topic. But for some reason, on Twitter, we still have last week's, title, Google free with Graphene OS. I don't know why.
[00:45:49] Unknown:
Yeah. If, if you're paying attention in our private chat on Restream, Seth mentioned that about forty five minutes ago. Now I have no idea why it's done that. I only have one place on Restream to give the the overall stream, a title. It's right. So I I have no idea why it's not updated. But, yeah, clearly we're not talking Elon. We're not talking about GraphiNoise specifically today. But, yeah. Alright. Lots of, Nosta not of Nosta. Lots of, Proton Pass funds in the Nostichat as well. We've got Nostigang. We've got Bon, SPA, all the use in Proton. So it seems like they've, they've come out the gate fighting with a with a good tool that a lot of the the misfits have jumped on straight away because, as I say, it's it's definitely one of the newer ones that's on the market compared to, some of the other ones that we've mentioned.
Quick shout to x t x, hashtag free samurai who's up to a thousand sats over on Nossa as well. Thank you very much. Thank you. And, a quick comment on YouTube that, Thor Odinson made a comment. He said, don't worry, Kyu. You'll have all your data in in your UK government digital ID. Yeah. That that feels like a a topic for its own show there. Not a great day to be, or or another great another day that's not great to be a Brit. Yeah. Bond says my buddy is still on LastPass despite the hack and being close sourced. The mental and time switch keeps him there.
Yeah. That's, well, I guess you could argue that, you know, if if they've had a hack that bad that they've probably, you know, pulled their big boy pants on and and fixed it. But, yeah, that would be enough to, to make me switch. BTC wrestles mentioned that the the title is wrong on YouTube as well. So that indicates that it's probably not a Twitter problem. It's probably a me problem. So, yeah, you can throw your abuse at me, and I'll see what happens, happen afterwards. But hope, at least on YouTube, we can change it after the fact. I don't know whether we can on Twitter. But, Well, we can change it on our ungovernable stream as well. It will go in the feed. So it's fine. We we can indeed. Indeed.
Yeah. Interesting. You mentioned about that, Pear Pass, Seth. Orange Surf actually messaged me on signal this morning and and threw this one, onto my radar. It's not one I've heard before. So if I understand correctly, and, again, I've done the grand total of about 30 research on it by clicking a link that you sent me. But does it essentially operate in a similar way, but rather than there being a single centralized server with, Bitwarden or with, Proton Pass, it essentially just kind of shards all your information in an encrypted format and just stores it with all of the various different peers on the that network.
Thank you for dropping the link in Twitter, by the way, for context. That's very useful. Yeah. Is is is that what it does? It kinda splits it up and then you can just reconstitute it from the various different peers thereafter, or have I just completely butchered that?
[00:48:43] Unknown:
No. I think you nailed it. I actually did not know that that's how it worked. I thought it was a a key has a thing called punch hole, I think, where it it lets you connect to peers directly despite firewalls or NATs, that sort of thing. So I thought it worked that way, but I actually just linked as well in the chat, the explainer that says how apps like key and pair pass, stay resilient, and private potentially is what it looks like where it it chops everything into fragments to distribute across this peer to peer network. Those so you can't see any of the content. You download fragments. You reassemble it locally, and then, you can get that even if the the person or the other device that sent that data originally isn't online. So it allows you to do peer to peer, but actually to have, to do it in a way that's async. It doesn't require both devices to be online all the time.
[00:49:33] Unknown:
Very cool. Looking forward to that one. That's not out yet. Right? It's not not a thing. But we'll Paolo
[00:49:39] Unknown:
said on September 17, this is about ten days ago, he said that it's in testing and soon available open source, and that it will be in both app stores. But as far as I know, that hasn't happened yet.
[00:49:52] Unknown:
Okay. Cool. Want to keep an eye on. Max, gonna throw this to to you first because I know Seth has some very strong opinions on this one. But, b t c wrestled mentioned in the YouTube chat that, he uses Vault warden slash bit warden, because you can self host it on start nine. What's your take on that? Is that something that you've ever, considered self hosting your your own password manager? Feels like, yeah, you could be lighting a very big bomb under your life if you get it wrong.
[00:50:20] Unknown:
Yeah. For me, knowing my technical skills, there are just certain things that I won't self host. The things that are really, really important to me, like, family photos, just not fucking touching it. No chance. No way. I I don't trust myself at all. They're just as important to me, if not more than my SATs, and so that's not happening. Passwords, again, like, getting locked out of all your accounts and not being able to use any of the stuff that you set up over the last decade would be really fucking annoying, and it would be exactly the sort of thing that would happen to me, and it would be exactly the wrong time where I couldn't then fix my laptop running in a different country to try, you know, self hosting it. Just no. It's not for me. I'm not saying it's not for other people. If you're really, really technical, and you really know what you're doing and you have some sort of built in redundancy and you just know your shit, then great. Cool. But not for me. No way.
[00:51:28] Unknown:
Seth, I guess it's just the cosign that message from you.
[00:51:33] Unknown:
Yeah. It's yeah. I mean, I think I touched on this for family photos last week, but it's just this idea of, like, man, there's so much that I have to worry about. I really don't wanna be the person who's responsible for all of my access, much less, like, then it also be my wife's access. Am I also gonna be an uncle Jim and keep all of my other friends' passwords? What happens when my server dies and everyone loses everything and everyone cries? Like, I I don't I don't want that. And the the only real pro is that in this wild scenario that, like, Proton gets hacked and their databases get leaked, Also, somehow, all of their encryption was bad, and then the the secrets are leaked.
That scenario is, like, so wildly unlikely. Well, the scenario of, oh, you were using a mini PC that had one SSD, and it failed, and you lost everything is much higher. The the one caveat I will say with password managers versus something like family photos is that every good password manager I know keeps a local cache of everything. So, like, if you're using Vault Warden, but you have Bitwarden on three different devices, each device will have whatever the latest state it has locally on the device. So even if your Vault Warden dies, in theory, you should have those secrets still on those devices. Yeah. So it's better than the situation of, like, family photos where your phone's probably auto deleting things to save storage or something. So the only copy would be on your server.
So it's it's not a terrible idea. It's just one of those things where, like, to me, the juice is not worth the squeeze. It's an extra thing I have to host, an extra thing I have to worry about, an extra thing my family complains when it's down. Like, it's just not there's not much benefit to me, but it is better than, like, family photos or something like that if you're not a super tech savvy person.
[00:53:22] Unknown:
When I spoke to Matt Hill, from Start nine, maybe a year ago, he came on the show, we we'd covered this topic specifically, and he was saying it's only just for him, a time where he's starting to host his own family photos. And his setup that he went through with me sounded like it had extreme redundancy and things in different locations and backups on backups, and it sounded pretty complicated. And he was like, I'm only just starting getting comfortable with it. And I was like, he's probably slightly more technical than me. So, that was at the point where I said I'm not even gonna bother looking at this.
[00:54:08] Unknown:
Yeah. Again, I I cosign. I did try it once, but, I guess I was just worried that, like you say, what happens if it all goes wrong? With with, like, the bit more than side of things, I think it's I'm glad you pointed that out, Seth, that it is not necessarily that you lose everything if the server goes down. You just lose, like, any updates that have happened or any sync, state sync that would have taken place after the server went down. So it's it's not like you're gonna lose access to everything because of that local cache that you have. But, again, like, that, man, when you have kids and shit like that, it's just one thing too far to worry about. So, you know, end to end encrypted open source is is like a fine trade off for me to to not have to worry about all that sort of stuff.
We had a another question from Orange Surf who messaged me on signal this morning. We may or may not have touched this, but, Max, I'll I'll give it to you first. Are there any passwords that you wouldn't trust your password manager aside from Bitcoin seeds, which, you know, Seth briefly mentioned the kind of the trade off model there? But in your digital world, is there anything that you specifically don't put into a password manager? If yes, why?
[00:55:16] Unknown:
Yeah. There's a couple of things, like logins to get into my start nine. I don't put in logins to get into my router when I had it properly set up with a Flint two and all that kind of stuff. Just a couple of basic things that I was fine to have in writing locked away in a safe which needed physical access, and I didn't need to use very often. It was only like, ah, fuck. My route has gone down again or like, my server's gone down again. Right. Okay. I need to log in. And then I had a really long, disgusting password.
I'd physically type out, but I'd only have to do it, like, once every six months or whenever things break. So that was the only things really. Things where I didn't need constant access, and I really didn't want people getting into.
[00:56:17] Unknown:
I do have one more that I didn't mention yet. The the one other secret that I would in here is if you are an Apple user and you use a protection, which if you are an Apple user, you should be using advanced data protection unless you're stuck in The UK. Sorry. You. If you are using that, you should treat that like a very important seed phrase. Because if you are using advanced data protection and you lose that secret, you lose everything potentially if you forget your password or get locked out of your Apple account for some reason. So I I treat that the same way I would treat a cold storage, fairly wealth kind of one, because I it would be very detrimental to lose that. So that's the only one that I would not store in there because I I also don't want people to access it. But it's like you said, Max. Like, think about, do you actually need this in a master manager? And it's not something you hope to ever need to autofill, but it is something you need to have no matter what. So treating it like a like a like family wealth, cold storage seed phrase is a really good idea. And it it's very similar to a seed phrase as well. So you can you can use a lot of the same tooling and concepts to back it up. Even going so far as to put it on steels is a possibility. So that's that's one.
[00:57:38] Unknown:
Good show.
[00:57:40] Unknown:
Right, guys. We we've got one minute left, so I'm gonna leave the the audience with one controversial question, just to put the the proverbial cat amongst the pigeons. I know that's a very British issue, and most Americans are gonna be like, what the fuck is he talking about? Passphrases in a password manager. Yes or no? Please provide you're working.
[00:58:02] Unknown:
No. Yes.
[00:58:05] Unknown:
Oh, that was the result I wanted. Okay. Got the guys. You've got sixty seconds each. Give us your rationale.
[00:58:11] Unknown:
Go, Max.
[00:58:13] Unknown:
No. I don't understand the password manager encryption well enough to trust it with something as important. I don't need access to it very often, and I prefer to have things in the physical world where I understand them. I'm much better in the physical world than I am in the digital world, so I stick to that.
[00:58:35] Unknown:
My reasoning is if you lose it, you lose all your money. So you want to make sure that you have redundancy for it. It should not be stored with your seed phrase, and, hopefully, you're not storing your at least cold storage seed phrase in a password manager. So it's it keeps them in separate places. And third, it is something that you may need access to on the go, potentially. It depends on exactly how you use pass phrases. I know that the the usage can vary. But for me, the pros of having the redundancy and having it stored separately from your seed phrase without having to have yet another physical location is well worth it to use in a password manager. Because, again, to me, the risk someone finding your seed phrase and also accessing your password manager are so incredibly low. But the risks of you losing your passphrase, which is something that we see all the time, like, we have cake support tickets about this where people don't realize what a seed phrase is or they forget that they have to have that to restore their funds or they just misplace it and lose all their money. That's much more of a problem to me. So I think password managers is right. For most people, it's personal.
[00:59:39] Unknown:
What a great way to sign off the stream. Yeah. We're we're coming up on time already, guys. That was a fun one as always. Appreciate both of your your insights. Really appreciate all of the the people in the Twitter, YouTube, and Nosta chat. We're finally, we're finally able to get that off the ground. Thanks. Special thanks to those that boosted and, so thanks to your questions and and topics ahead of time. As always, we will be back with you the same time next week. If you have suggestions for next week's topic, please hit us up on Twitter or on Nosta with your suggestions. We hope you're the best.
[01:00:19] Unknown:
Thank you for listening to Freedom Tech Friday. To everyone who boosted, asked questions, and participated in the show, we appreciate you all. Make sure to join us next week on Friday at 9AM EST and 2PM London. Thanks to Seth, Max, and Q for keeping it ungovernable. And thank you to Cake Wallet, Foundation, and my NIM box for keeping the ungovernable misfits going. Make sure to check out ungovernablemisfits.com to see mister Crown's incredible skills and artwork. Listen to the other shows in the feed to hear Kareem's world class editing skills.
Thanks to Expatriotic for keeping us up to date with Boost's XMR chats and sending in topics. John, great name and great guy, never change and never stop keeping us up to date with mining news or continuing to grow the mesh to Dell. Finally, a big thanks to the unsung hero, our Canadian overlord short, for trying to keep the ungovernable in check and for the endless work he puts in behind the scenes. We love you all. Stay ungovernable.
Live intros, show format and listener participation
Audio checks, Nostr stream working, housekeeping
Today’s topic: why passwords still matter in 2024
Password managers 101: what they are and why use them
How to migrate: generating, autofilling and changing passwords
One basket fear: master password, 2FA, and threat models
Passkeys explained: pros, cons, and current adoption
If a password manager’s servers are breached—what leaks?
Email hygiene: old breaches, aliases, and migrating inboxes
Beyond passwords: secure notes, cards, and secure sharing
Browser-built password storage vs dedicated managers
Sync across devices and limitations of browser storage
Tooling review: Bitwarden, Proton Pass, KeePass, others
Why open source matters; the LastPass cautionary tale
PairPass preview: P2P, sharded storage, and resilience
Self‑hosting Vaultwarden? Risks, redundancy, and reality
What not to store: seeds, routers, Apple ADP recovery keys
Spicy closer: storing wallet passphrases in managers?
Outro and community credits
