How Strong Should Your Passwords Be
ฝัง
- เผยแพร่เมื่อ 26 พ.ย. 2021
- In this video I explain how to create a strong password, and why you should use password managers to create random passwords for your online accounts.
zxcvbn
github.com/dropbox/zxcvbn
dumb password rules
github.com/duffn/dumb-passwor...
₿💰💵💲Help Support the Channel by Donating Crypto💲💵💰₿
Monero
45F2bNHVcRzXVBsvZ5giyvKGAgm6LFhMsjUUVPTEtdgJJ5SNyxzSNUmFSBR5qCCWLpjiUjYMkmZoX9b3cChNjvxR7kvh436
Bitcoin
3MMKHXPQrGHEsmdHaAGD59FWhKFGeUsAxV
Ethereum
0xeA4DA3F9BAb091Eb86921CA6E41712438f4E5079
Litecoin
MBfrxLJMuw26hbVi2MjCVDFkkExz8rYvUF
Dash
Xh9PXPEy5RoLJgFDGYCDjrbXdjshMaYerz
Zcash
t1aWtU5SBpxuUWBSwDKy4gTkT2T1ZwtFvrr
Chainlink
0x0f7f21D267d2C9dbae17fd8c20012eFEA3678F14
Bitcoin Cash
qz2st00dtu9e79zrq5wshsgaxsjw299n7c69th8ryp
Etherum Classic
0xeA641e59913960f578ad39A6B4d02051A5556BfC
USD Coin
0x0B045f743A693b225630862a3464B52fefE79FdB
Subscribe to my TH-cam channel goo.gl/9U10Wz
and be sure to click that notification bell so you know when new videos are released. - วิทยาศาสตร์และเทคโนโลยี
![fellow fellow - Proud [OFFICIAL MV]](http://i.ytimg.com/vi/9uZF7BlUQPE/mqdefault.jpg)
All of my passwords were generated using unique highly complex algorithms with quantum behaviors as random seeds all of which I created while I was blackout drunk in a classified location.
I then deleted these algorithms and smashed the sole device that ever held them with a sledgehammer, twice.
I then got blackout drunk again and buried the device’s remains somewhere that I do not know. Every time I recover the device, I hide it again using the same method.
Logging into things is a difficult and often harrowing procedure for me, but at least my 12 Robux are safe until someone breaches the servers.
Thanks for the laugh. I went and pictured someone actually doing the method you listed.
Holy shit man. Getting blackout drunk to protect your own passwords. Now that is on another level.
Lmao 😂
r/thatHappened
@@solar2655 You got me!
You made all this, but when you were drunk, you forgot that your password was set to "1234321", you really thought you were smart with the last '321'...
One time for a client we were doing pen testing for the network at the hospital. They always knew we were coming, but didn’t know when, and we never introduced ourselves until we were done so we could find weak points without the staff being on guard.
I walked in with my laptop and set down at the medical records desk, no one asked me a thing. After a few minutes I approached the lady at the desk and said “hey IT sent me over and said you guys were having some server issues, I just need your log in information so I can check your account on the server.”
No shit this girl wrote her information down and just handed it over without asking a single question. We had access to the network in under an hour.
Cool story bro
this is unfortunately super common. and I honestly couldn't tell you what talks or programs you need to implement into the workplace to get people to watch out for this shit, since all it takes is a single person to fall for a social engineering attack to compromise everything in your company.
Sounds too fake to be true...but I know it's true, because reality can be more stupid and fucked up than fiction or the dumbest conspiracy theories.
I had this client who used an ancient email service that was not encrypted.
@@icipher6730 considering people fall for almost identical scams in personal life too all the time no surprise companies fail in it too
I actually hate forcing the user to choose a secure password. Telling them feedback how secure it is is fine, but it should be up to the user how important the account is. Sitting there figuring out a secure password you'll never remember just to download some basic thing or set up a subscription encourages people to re-use more secure passwords they use on other sites and then that's where their secure passwords get leaked from.
Any kind of password limitations will just help hackers in the long run
Dont allow word list passwords would be good tho
Not to mention the password can be the most secure password in the universe with an entropy value that approaches infinity, but when the company inevitably gets hacked it won't have mattered even in the slightest.
I think part of it is just gaslighting users who wouldn't know better, which isn't great ethically.
Also different user has a different conception on what password is ideal (well entropy is one of the objective condition, but the rest of the condition is subjective)
I would hate to include symbols and capital letters on my password and I already know my password is secure because I have calculated the entropy, and I have generated it using a password manager. My password does not need to be strengthened by capitals
Yet its you responsible for your users not to get hacked
Dictionary attacks become much more difficult once you start using words from multiple languages. "correct horse battery staple" is suddenly a pretty good password if the words are in Navajo, Polish, Japanese and Hungarian.
Then throw in some acronyms and character substitutes along with random characters sprinkled throughout to be extra _salty_ just in case.
Pun intended.
And then after I write word in Polish site says "you can't write special characters" where I use letter ń
@@janekk8833 I wish more sites would permit special characters in passwords. They need to seriously get with the times.
@@bina7513 word i wanna put emojis in my passwords
I invented a few words in my own language, and put two in my passwords each.
My passwords are so secure that even I don't know half of them.
Unironically the right way of doing it
So how do you log in to websites? Or do you stay allways logged?
You shouldn't know any of them honestly.
Haha I only know about 5% of my passwords
@@krystiandzik9886 password managers probably
everybody knows that you should always use "password" as your password
Only if you spell it with leet speak sideways.
y e s
Make it longer. Have you considered passwordpassword?
yeah it literally already tells you how to type it
I hope you use a good salt like 1 or maybe even 2 if you’re paranoid stick the sticky note on the back of the monitor instead of the front for maximum security hardening also don’t forget to get your nordVPN subscription
I love to see "%" symbols being declined for passwords; it means the chances of SQL injection are very high.
That character is a wildcard in SQL query strings, and banning it suggests your password gets passed to SQL in an unsafe manner.
At that point they're just begging for it.
hash the password client side and theres no issue using very long passwords and you can use all unicode characters
Also, always have a comma in there so that when a site leaks your password, it screws up the csv your password gets dumped into.
Big if true.
damn, big brain
preferably, type a
to mess it even more
Can you explain
@@juanpls3856 if it works, the csv (file where all the passwords are hopefully stored for use) would interpret it as an indicator to move on to the next username/password combination. This would mean that if it works, either
a) your password will only be registered as a part of your actual password
b) it misaligns the way the program scans through the file, protecting everyone's password that comes later in the file
or c) best case scenario, it somehow screws up the csv so bad that it is completely unreadable.
The problem, of course, is that actual websites might not be able to handle it.
Honestly, as long as you're not reusing passwords and avoid the top 500 most common, you should generally be fine. I think more responsibility should be heeped onto servers for failing to properly store user data.
We can blame servers.... But at the same time we also have a responsibility of protecting ourselves...
We wouldn't have to even protect ourselves if there werent so many logins.
Øķ ¡ñþəřéß þįñğ
@@vaisakhkm783 did you not really read the comment, that's exactly what he said. Don't reuse and don't use common passwords, blame the server owners for their shitty datasec when it's a problem.
@@vaisakhkm783 wtf do u want us to do, unbreach the servers?
Isn’t the biggest obstacle for password cracking that you can’t just spam a site or login service with millions of passwords without getting shut out? So brute forcing works if you get something offline to work with, but not really on online user accounts. The biggest threat there is someone hacking the site and leaking stuff.
bypass'able due to most websites block the IP u are making the request from not the machine itself
@@ZoReeXHD even if they never ban you, each request takes a significant amount of time
@George Soros So they just measure response time instead of waiting for a response from the server?
lmfao you guys don't know shit. cracking happens after a leak, bruteforcing through a sites login page is completely not feasible
@George Soros If the server security is crappy enough; why don't you just use something better than attempting to brute-force someone's password.
Password requirement sins: 1. Composition rules. 2. Regular password resets (security breach is the only acceptable reason for a forced password reset). 3. Maximum password length (if less than 64 characters).
The bigger the company, the more likely they are to commit one of these sins that is actively recommended against by NIST.
"2. Regular password resets"
I HATE it when they make me change my password every couple of months. I already went through the trouble of memorizing a good password that I don't use anywhere else, so why do I need to change it? I usually just try to change one character. Can't be bothered. Life too short.
The regular password reset is one of those things that are good in theory, as any password someone got unauthorized access to would only last for so long. But yeah the problem is that have the tendency to make ppl make weak passwords, and then just slightly alter it. If people adhered to what this video said every time it would actually be ideal, but we don't live in an ideal world, so is generally a bad requirement yes
@@robertjenkins6132 "memorizing a good password" That there is an oxymoron. A good password is one you can't memorise, but have been auto-generated in your password manager. The ONLY exception to this is the password for your password manager, as this very video said, since... well it doesn't help much to store your password managers password in itself :P And if you do it like that it is just the click of a button in your manager to get a new one to change it to. (Though as I said in my other reply in this thread, due to this very behavior you show here I do believe it to be a bad requirement, but if everyone did passwords right, it is a very good requirement actually)
the regular password resets are absolutely retarded. they lead to people writing down their passwords insecurely after a few resets, which i've seen done so many times at my job, and they turn corporate cybersecurity, something that could lead to billions of dollars of damages if something went very wrong, into a nuisance that people just want to get out of the way as fast as possible.
also passwords prohibiting dictionary words is an awful idea too. your average joe isn't going to want to remember 328g90aH2daf23 just to log into their work computer, and since they can't type in something relatively secure and easy to remember with maybe 3 words and some numbers, they'll end up just going for something absolutely retarded like their initials and date of birth.
That's not true. I wrote a script to generate passwords using randomly rotating charactersets, some of which the characters are whole words from different eff wordlists used in dice password generators. For Wi-Fi passphrases I usually have the full 63 character password memorized by the time I'm done updating all the devices on my home Wi-Fi network. But it would still take centuries to crack.
13:35
“And you’ll be able to sleep easy at night”
I wish. Now I worry about the catastrophic consequences of someone getting access to my master password. Granted 2FA eases that fear slightly, instead making me fear what can happen if my 2FA device is stolen or just breaks.
It never ends.
all my friend [REDACTED]'s passwords are just his username spelled backwards... king shit
what's your friend's name?
I took a King Shit
@Tungsten Dioxide the reversed brackets confuse and anger me
Don't forget to update your passwords after this video ;)
no ty
Before this video: 12-16 random characters is enough!
After this video: 10^128 characters, spaces, special characters and Ancient Egyptian hieroglyphs is too weak!
@@akeem2983 haha
Cool story about password max length: I used a bank once which was later acquired by another bank.
During account migration, maximum length was reduced significantly, so my 32 symbols password no longer worked and I couldn't figure why for a long time.
Wow that is a cool story!
It's evolving! Just backwards-
so this probably means they're storing your password in plaintext
@@99temporal Not really. Most likely they just truncate the password before hashing.
I think I know which bank you are referring to.
My passwords consist of 2 parts: 1st part is a random string of letters, numbers and symbols that is always the same, and part 2 is again entirely random, but also different for each service i use. I have memorized part one since each of my passwords use it but when it comes to part 2 i have them written on a paper but because my passwords consist of two parts even if by some miracle my sheet with passwords got somehow stolen these codes would be useless without part 1 which is only in my memory and nowhere else.
I just use a random password generator and save it in a text message I send to my dumb phone.
All of my passwords I think were randomly generated. Because
Imagine getting early onset Alzheimers and now you're fucked
okay that's actually a really good one, I might start using this method
many thanks
@Mialisus lmao sounds like a Bateman meme, nice
Thnx so much, you're a genius. I will start using this method.
I don't know how zxcvbn copes with emoji but at least when tested with a relatively short password adding one or more emoji caused the estimated brute force times to shoot through the roof. I don't know if using emoji is practical at the moment but at least it would be interesting option for password manager managed logins which allow it.
Anti Brute force and dictionary Password : 変態のHackers
Haha, password cracking only applies to English.
Mga bobo pa nga ang mga hackers eh!
IDK how many sites even allow you to go outside standard ASCII for the passwords, nevermind using emojis instead
@Sufuurin If by 'literally adds' you mean 'doesn't literally add' then you're correct. Emojis are utf-8 which is used globally for international or symbolic characters. You're not adding code, you're adding an additional utf character.
For example: 'dumbpost' or 'спешка б', is interpreted as the same length as '😀😃😄😁😆😅😂🍆'
@Sufuurin that definitely is not what you meant.
@@iusegentoobtw aren't emojis utf-16? not the html ones, but things like different races emojis, different sex emojis and things like that
My passwords are just random excerpts from the uncle Ted's manifesto or Hoppe's books with random numbers and with symbols sprinkled throughout
If this is actually true, you just gave any hacker wanting to target you a LOT of information cutting down the actual options a LOT (and sprinkling in random numbers and symbols, is not really gonna do much, as any hacker with just a bit of experience will be checking for such very things in a relative short amount of time, and since you already told the source of the meat of your passwords, and the lower the list of possible "meat" for the password, the less options there is to sprinkle in those random bits, you narrowed it down a LOT for them)
@@GummieI Please go back to reddit.
@@NumeroPerdido shut up
I use catcher in the rye.
@@GummieI bruh the stuff in your parenthesis are longer than the actual sentence itself
The best password is when your password is less than the character minimum requirement since you never updated it 😂
One of my emails (spam riddled thanks to my goal to sign up for every website I come across when I was 12) is all lowercase and less than the min required. Never had a breach
2^32 would be 4.2 billion, 2^33 would be double that, etc. so 2^53 is much more than billions even with the birthday paradox
Consider that a high end graphics card can search more than 30 billions of passwords per second and a PC can have 4 graphics card.
At least 64 bits should be used.
@@rj7250a Plus you don't know what the g low bois have, a PC with 4 GPUs is really at the low end. Plus technology advances in an exponential manner which makes passwords significantly weaker over time. There's room for more entropy in my opinion.
wtf does that even mean lmao there are no birthdays
8:12 One point to make here. This length checked will be done on the server before the password is hashed.
The server could take a 100 chrs password but only hash the first 20chrs
So essentially the chars after 20 dont matter except to the unknowing user and hacker? Though a hacker could test it by making the longest acceptable password and then changing the last character… the probably would never use a “hash only the middle or last X characters” type of thing since a normal user will notice and assume the site is messed up and complain.
I was just watching your old videos on passwords glad you released a new one.
The best password is "incorrect." That way if you type it wrong, most apps and sites will tell you, "The password you entered is incorrect."
Put a space at the end of your password so that the Hacker will get frustrated trying to enter it
@@smiley_1000 many, many websites totally ban special characters at the beginning and end of passwords. Methinks they're afraid they aren't sterilizing everything correctly.
Big brain over here
Problem: Other languages being used by the attackers or apps
@@flyingstonemon3564 New password: "Incorrecto"
Damn the algorithm is loving you lately, keep seeing a bunch of your videos in my recommended
There is another meme from xkcd where they have to choose from cracking the super complicated password or use a 5$ wrench.
@Nobody You don't get it. You hit the password owner with the wrench until they tell you. Or get them drunk and ask them the password. Or both.
In Russia this method called "Thermorectal cryptanalysis"
Thanks for linking the bad password rules. Made my day.
4:41 one of the many reasons i love your work. God bless you bro
You are taking off! congrats!
Thanks! Very educational.
You know it’s strong when you can’t even remember the password
@Nobody lmao
@SoulStacker that's the point he can't remember himself.
Limits for passwords ironically serve as a table to help break passwords. General rule of thumb is 15 characters minimum and some type of variation that isn't a pattern.
At the end of the day at 15 characters it's still going to take someone a long fucking time to break it unless they know specifically how you created your password. If a nation state actor targets you, you're fucked anyway so it doesn't matter the length or complexity. The biggest limit to breaking someone's password is the amount of computing power you have at your disposal. It's why certain three letter agencies couldn't give a fuck about complexity as to them it's just a matter of time. For regular people 15+ is fine as most people that try to break into accounts use dictionary attacks with tables, so unless you're stupid enough to make your password something common you're fine.
I absolutely know of those "three letter agencies". And let's just say I'm beneath their notice, so I'm not worried.
@@thetruegoldenknight it's an automated system, you only are prioritized when you meet a certain threshold. For security specialists the entire point of constantly pushing the boundaries for complexity and randomization is to be ahead of ANY entity that actively tried to decrypt or reverse security methods.
i know this isnt a linux related video, but thx to ur content you have convinced to switch to linux mint, and now i am a proud linux user
nice reference to the classic xkcd brother. real legend
never disappointed by the b roll for this channel
6:15 Is that because of some SQL injections? Why wouldn't they allow you to use the "%" signs?
printf, url-encoding
(Both should not be near passwords)
It is most likely due to that sort of things, which in and off itself is a BIG red flag though, as it means they are not sterilizing the input well enough, if they are afraid of that kind of things. Before the password gets handles any basic code should basically be told that what is coming here is in no way, shape or form something that is code related, it is purely a possible password input to be checked with/stored in the database
@@weakspirit_ Yeah, it is kinda a funny one, since at first glance it doesn't seem that bad: "it is just a single excluded character, sure the more possible characters the better, but surely one character can't be that bad". It is when you know the reason behind the requirement you see exactly why it is indeed VERY bad
@@weakspirit_ my stomach literally dropped when I read this comment, lmao! The ways I've seen excel abused...
Thanks for bringing up the point about the password manager. I use a cloud based one now and I plan to switch away from it soon. I also got a proton mail since I was getting an all new setup and I wanted a strong password for it.
KeePass or Bitwarden.
Agreed on password managers. Using a password manager is becoming more important now more than ever. After I started using bitwarden, I started using 16 characters or more for my password (autogenerated). And my master password is a long nonsensical sentence with a mix of words from multiple language since I’m a trilingual and numbers mixed in.
I use the Correct Horse Battery Staple method, but I don't reuse them. I have a little book full of my passwords.
The book itself is written in code because I was a big fan of spy fiction when I was in elementary school
Extremely cool
Oh yeah? I got bored one day and not only encoded my passwords, I also did basic encryption on them. (Not very strong encryption, but I did the math by hand, so cut me some slack here.)
Nice write-up!
Would love to hear your thoughts / knowledge on how this fares vs approaches such as SSO or password-less Auth.
I change my passwords every week and ensure they are all very strong. Mostly because I forget all of them
This is no longer recommended.
@@binarycat1237 Y
You're allowed to laugh, guys!
@@binarycat1237 Can you develop? Personally I don't change my passwords (except bad ones or Epik one lol) but I thought it'd be more secure.
@@binarycat1237 What happened?
fr stay on the grind
I still remembered this one guy at internet cafe, his facebook password was "asd" and the rest was just him slamming his hand on the keyboard while swiping his hand on it, left to right.
The most secure password is one made up of just obscure Greek characters, combined with characters from other languages like Hindi, and is the length of the Bee movie script.
just run the bee movie script through a digital replica of the enigma machine
Thank you for sharing.
Good summary. You should mention other providers tho to keep it "balanced".
you're doing godly work, just make sure to always show sites on dark mode. thank you
It would also be nice to have a copy of the password rules on the login page, so I can remember which rules I used when I created the password
When I try to find out the password rules of a page I just try to make a new account and in the password field I just write "a". It will give a list of things your password is missing.
I have some pretty long passwords but I should change them again as I have been using the same ones for a while, thanks for the reminder
I get why you want to use a offline password manager. But the problem is, most people have more than one device where they need their passwords. Synchronizing your passwords between your devices quickly becomes a hassle. I have not found any good solutions other than an online password manager.
6:58 if an emoji is one character or more characters depends on how the server is set up (most of the time if unsupported longer than a character)
i wanna flex my perfect password so badly
This video exceeded my expectations.
I like to make my own passwords that are 24 to 36 long.. a tip I would recommend is when making up phrase based passwords purposely misspell words and I don't mean the known way like instead of using golden you put g0ld3n .. instead, do it like this golden= x~ld`n .... make a key so each vowel equals a certain symbol or value and then instead of using the normal "leet speak" just put random letters in place of other letters.. and always use a password manager and always use 2fa when available as outlaw said.
Also, if you are bilingual it should come natural to mix languages, even if not learn a few words of a random language and plug that in the way you said.
I keep seeing the "use two-factor authentication" thing. And I am not impressed. Anything that is not a password can be stolen or spoofed. To take a common example of sending a one-time code to your phone: An attacker uses social engineering to transfer your number to his device. Now you can't get into your accounts. I have asked various people who say to use two-factor authentication why this is a good thing. And I am always met with dead silence. It's like they hope my question will go away.
why so paranoid? As if anyone would even care enough to try to crack your password
@@AverageAlien lmao
@@AverageAlien glow
👏🙂
Very interesting
Pro tip: I like to come up with a memorable word or phrase and then encode it to base 64. Easy strong password.
Either that or just auto generate something.
The fundamental problem with that computerphile video, is that they misunderstand the xkcd comic. The entropy they calculate is already assuming an attacker has full knowledge on how the password was created. There is 44 bits of entropy. This only goes up the less the attacker knows about how you created the password.
It is very important that you make this assumption when making a password. Only caluclate the entropy based on full knowledge. Then you are preparing for the worst case scenario and not relying on security through obscurity.
Wait wait? an actual true cideo on this topic? I totally went into this expecting to correct the video, as 99.99% of these types or videos are totally wrong (even if the intent are good most times). But yeah if you can remember your password, it is not strong enough yeah (and then use the effort needed to make that one strong password as the only one you can remember for your password manager, which is exactly what this video said. So Kudos to you for making an actual true video on this subject for once :)
What do you feel about self-hosted hosting? Like connecting to a raspberry pi you keep at home and syncing the password database once a day or something.
Also by having these arbitrary requiements, it makes every password less secure since you know any given password you're trying to crack meets these requirements, so the pool of all possible passwords is much smaller.
For xmas, a family member asked me for a chromebook. They said a financial guru suggested a chromebook, that was solely used for bank and brokerage accounts, was the best way to protect access to these accounts against hackers. How do you feel about a chromebook that after initial setup, only visits a bank and brokerage website?
If you were to strip down a Linux os for the pi to serve this purpose, where would you start?
well, to be hones, having any device whose sole use is to access critical sensitive accounts is a great idea(as long as you use a totally different password from any other account)
Wouldn't "Password Managers" go contrary to Luke Smith's philosophy that "You shouldn't rely important stuff on technology more than you really need"?
Use a text file lol
Or a pen and paper
@@MiguelAngel-fw4sk i used pen and paper, but then its just, super inconvenient. with a password manager i can just make 40 character long randomly generated passwords that are more sexure + they just autofill. on paper, i still had to keep the passwords simple enough + i'd have to have it on me if i wanted to log in to something. If you only had 5 accounts you could remember your passwords, but i have dozens, you just can't remember it.
If you don't trust a password manager you can anyday fork or look at the code of the command password manager called "pass" that's the most barebone as you can get
a GNU password manager is a must if you don't want to get comprimised and Luke Smith also uses pass: th-cam.com/video/sVkURNfxPd4/w-d-xo.html
that's why luke smith doesn't use a password manager. he has his own password naming convention that he has yet to share with us. he remembers all of his passwords.
My issues with password managers is "What do you do if you lose everything?". House fire, your power supply explodes, phone gets stolen. I still use them, but I'd never use their hash generation for this reason. If my key file gets lost, so do all the accounts.
By the way, using Cyrillic symbols in your password is very strong as they take two bytes each
just use a random string generator and generate 1,000-16,000 characters of random unicode characters from a set that contains every single unicode character.
i got 94,000 bits of entropy on a 15k char password with a set of only 272 chars
@@kiwi_2_official i like your funny words magic man
@@the_egg_ ok
@@kiwi_2_official sometimes that creates issues because and will make the password shorter because the characters take more bits in sql
@@24hhhhours ye
You should do a video on syncing your offline password manager to other devices (cell/desktop), or why you shouldn't.
Is there a reason not to?
@@Optropicraft well, technically, you'd be sharing a strongly encrypted database.
It's just that it could be a pain in the ass to set up, even if you have something like a personal VPS
@UCOloOH-xvaDMXS-wLEX8BLA keep ass
@@em_the_bee YOU CHANGED IT GAHAHAHAHAH
My bank told me my online pin had to be atleast 6 numbers, just numbers. I obviously used a longer pin, but later found out, that the pin gets cut at 6 characters. So my pin is literally 6 digits. I do not approve.
Most banks won’t even let you have more than a 4 digit pin, but that’s okay because to be able to use a cards pin you need to physically have the card, or the phone linked to it, also most banks will lock the account after +-3 attempts
The only password manager is a yellow sticky note with your password written on it,, stuck to the bottom of your keyboard ..
Glad i'm actually using it
I love having a long base password and just appending the website domain name at the end so that I have unique passwords for all websites
Immediately recognized the thumbnail passwords from an XKCD comic!
same
What do you think about using foreign language in the password? I don't know what dictionary hacker use for brute force but definitely not some random languages from far east
basic 8 character passwords should be fine with the help of hashing, salts and peppers, but it's 2021 and yet here we are
I have some accounts so old they have 6-7 digits and only in numbers. Considering now websites forces you to have more "secure" passwords, those legacy passwords actually seem more secure since hackers take on account those limitations.
do keywords help the algorithm?
good video. very helpful. thank you it was enjoyable.
I will freely admit that I do not know much on computers and programming in general, but if you set up a program that perpetually monitors a word document called something like 'important passwords' or 'bank credentials' to see if anything opens it and shuts down anything that attempts to access it and alerts you to the program doing so, would that work as a potential measure against some types of viruses?
looks like 37 bots down voted the video.... thanks again for the heads up on the dislike browser extension!
An easy way to tell if a site does not hash their passwords is to click the forgot password link and see if they email you your password. I had a site do this to me and sent them a scathing email criticizing their security, explaining in detail how the database could get leaked and expose everyone's passwords, explaining what hashing is and how it fits into the auth pipeline, etc. They responded and actually fixed their password system over the next week.
KeepassXC gang
I think having a ridiculously difficult password is great! If you have near perfect memory, and only need it for one site. And aren't worried about data leaks
@Mental I have been watching your videos on passwords and decided to go old school. So I have made a file where I entered all my accounts and passwords (16 char, randomly generated). Then I archive it and l password protected it with a 32 char password that I can remember. Is that a safe enough approach or have I missed something? For sharing, I just use google drive and sync the archive on the devices I use. So essentially, I made my own specific password manager, but I use software that is readily available on any os or platform.
google drive? niqqa just use a crib
Nice
I trust that dolphin. Dolphins are trustworthy and have been known to help shipwrecked sailors.
Awesome gen 3 sprites
Virgin Media in the UK restricts (or at least, used to restrict) password lengths to 10 characters, without allowing special characters. Then they asked me to read my password over the phone when setting up internet in a new house.
Getting real fancy with keyframes now
nice video
Any specific password managers you would recommend?
>makes strongest password ever
>site I use gets backdoored and user passwords get dumped
>*Reading Rainbow Da Da Da*
my "plain" text password(one that can be remembered easily but still follows some of the general rules for passwords) has 85 bit entropy, i use that plus a 2FA to get to my password manager which i try to use around 20 char passwords from
I use regular KeePass
I've only heard of issues with KeePass XC
Any significant differences besides the UI?
The fun sites are the ones that don't tell you the max length, AND when your password goes over it, will just use the characters up to the max as your password meaning you gotta either guess how long it was or reset it lmao.
Wow! Something actually relevant ¡¡
good video
I use the built in password manager of Firefox. How secure is it? Is it possible for a malicious program on your machine to extract passwords from Firefox?
Remember those stories about e-commerce services that stored all customers passwords as plain text on dropbox?
Me: "Mmm ... how complicated should passwords really be?
Kenny: "Lets talk about entropy"
“But what about a hacker who has their skillcape”
That’s brilliant
A lot of website will accept long password but will reduce them, meaning they cut a certain amount of characters, reducing entropy, without telling you.
Make sure your passwords are strong from beginning to end.
In addition to that, some website will outright put password as *blank* if you happen to use non-unicode character (like ASCII), that would be because they are built on legacy systems
Ok but if it’s offline how am I supposed to log into accounts on my phone and other devices?
Also don’t most websites start denying service and locking accounts after repeated attempts to login these days? How can these dictionary attacks still work if the website is denying them access to log into the account after only 3-5 tries?
And what if I have 2 factor auth on my online account? Doesn’t it become a moot point if my phone number is then required or some randomly generated code that only I have access to via an Authenticator?
CorrectHorseBatteryStable is one of my favorites IT Comics
Man, the subtitles going wild on this one