All of my passwords were generated using unique highly complex algorithms with quantum behaviors as random seeds all of which I created while I was blackout drunk in a classified location. I then deleted these algorithms and smashed the sole device that ever held them with a sledgehammer, twice. I then got blackout drunk again and buried the device’s remains somewhere that I do not know. Every time I recover the device, I hide it again using the same method. Logging into things is a difficult and often harrowing procedure for me, but at least my 12 Robux are safe until someone breaches the servers.
Thanks for the laugh. I went and pictured someone actually doing the method you listed. Holy shit man. Getting blackout drunk to protect your own passwords. Now that is on another level.
You made all this, but when you were drunk, you forgot that your password was set to "1234321", you really thought you were smart with the last '321'...
One time for a client we were doing pen testing for the network at the hospital. They always knew we were coming, but didn’t know when, and we never introduced ourselves until we were done so we could find weak points without the staff being on guard. I walked in with my laptop and set down at the medical records desk, no one asked me a thing. After a few minutes I approached the lady at the desk and said “hey IT sent me over and said you guys were having some server issues, I just need your log in information so I can check your account on the server.” No shit this girl wrote her information down and just handed it over without asking a single question. We had access to the network in under an hour.
this is unfortunately super common. and I honestly couldn't tell you what talks or programs you need to implement into the workplace to get people to watch out for this shit, since all it takes is a single person to fall for a social engineering attack to compromise everything in your company.
I actually hate forcing the user to choose a secure password. Telling them feedback how secure it is is fine, but it should be up to the user how important the account is. Sitting there figuring out a secure password you'll never remember just to download some basic thing or set up a subscription encourages people to re-use more secure passwords they use on other sites and then that's where their secure passwords get leaked from.
Not to mention the password can be the most secure password in the universe with an entropy value that approaches infinity, but when the company inevitably gets hacked it won't have mattered even in the slightest. I think part of it is just gaslighting users who wouldn't know better, which isn't great ethically.
Also different user has a different conception on what password is ideal (well entropy is one of the objective condition, but the rest of the condition is subjective) I would hate to include symbols and capital letters on my password and I already know my password is secure because I have calculated the entropy, and I have generated it using a password manager. My password does not need to be strengthened by capitals
Dictionary attacks become much more difficult once you start using words from multiple languages. "correct horse battery staple" is suddenly a pretty good password if the words are in Navajo, Polish, Japanese and Hungarian.
Then throw in some acronyms and character substitutes along with random characters sprinkled throughout to be extra _salty_ just in case. Pun intended.
I hope you use a good salt like 1 or maybe even 2 if you’re paranoid stick the sticky note on the back of the monitor instead of the front for maximum security hardening also don’t forget to get your nordVPN subscription
I love to see "%" symbols being declined for passwords; it means the chances of SQL injection are very high. That character is a wildcard in SQL query strings, and banning it suggests your password gets passed to SQL in an unsafe manner.
@@rainbowskeppy5292 that would give attackers a piece of info that they can use to prepare a table of hashes alongside the corresponding input strings. This would give them a time advantage for when they compromise the database and only have a short time-window to exploit their access before getting caught.
@@juanpls3856 if it works, the csv (file where all the passwords are hopefully stored for use) would interpret it as an indicator to move on to the next username/password combination. This would mean that if it works, either a) your password will only be registered as a part of your actual password b) it misaligns the way the program scans through the file, protecting everyone's password that comes later in the file or c) best case scenario, it somehow screws up the csv so bad that it is completely unreadable. The problem, of course, is that actual websites might not be able to handle it.
Honestly, as long as you're not reusing passwords and avoid the top 500 most common, you should generally be fine. I think more responsibility should be heeped onto servers for failing to properly store user data.
@@vaisakh_km did you not really read the comment, that's exactly what he said. Don't reuse and don't use common passwords, blame the server owners for their shitty datasec when it's a problem.
Password requirement sins: 1. Composition rules. 2. Regular password resets (security breach is the only acceptable reason for a forced password reset). 3. Maximum password length (if less than 64 characters). The bigger the company, the more likely they are to commit one of these sins that is actively recommended against by NIST.
"2. Regular password resets" I HATE it when they make me change my password every couple of months. I already went through the trouble of memorizing a good password that I don't use anywhere else, so why do I need to change it? I usually just try to change one character. Can't be bothered. Life too short.
The regular password reset is one of those things that are good in theory, as any password someone got unauthorized access to would only last for so long. But yeah the problem is that have the tendency to make ppl make weak passwords, and then just slightly alter it. If people adhered to what this video said every time it would actually be ideal, but we don't live in an ideal world, so is generally a bad requirement yes
@@robertjenkins6132 "memorizing a good password" That there is an oxymoron. A good password is one you can't memorise, but have been auto-generated in your password manager. The ONLY exception to this is the password for your password manager, as this very video said, since... well it doesn't help much to store your password managers password in itself :P And if you do it like that it is just the click of a button in your manager to get a new one to change it to. (Though as I said in my other reply in this thread, due to this very behavior you show here I do believe it to be a bad requirement, but if everyone did passwords right, it is a very good requirement actually)
the regular password resets are absolutely retarded. they lead to people writing down their passwords insecurely after a few resets, which i've seen done so many times at my job, and they turn corporate cybersecurity, something that could lead to billions of dollars of damages if something went very wrong, into a nuisance that people just want to get out of the way as fast as possible. also passwords prohibiting dictionary words is an awful idea too. your average joe isn't going to want to remember 328g90aH2daf23 just to log into their work computer, and since they can't type in something relatively secure and easy to remember with maybe 3 words and some numbers, they'll end up just going for something absolutely retarded like their initials and date of birth.
That's not true. I wrote a script to generate passwords using randomly rotating charactersets, some of which the characters are whole words from different eff wordlists used in dice password generators. For Wi-Fi passphrases I usually have the full 63 character password memorized by the time I'm done updating all the devices on my home Wi-Fi network. But it would still take centuries to crack.
Isn’t the biggest obstacle for password cracking that you can’t just spam a site or login service with millions of passwords without getting shut out? So brute forcing works if you get something offline to work with, but not really on online user accounts. The biggest threat there is someone hacking the site and leaking stuff.
13:35 “And you’ll be able to sleep easy at night” I wish. Now I worry about the catastrophic consequences of someone getting access to my master password. Granted 2FA eases that fear slightly, instead making me fear what can happen if my 2FA device is stolen or just breaks. It never ends.
I don't know how zxcvbn copes with emoji but at least when tested with a relatively short password adding one or more emoji caused the estimated brute force times to shoot through the roof. I don't know if using emoji is practical at the moment but at least it would be interesting option for password manager managed logins which allow it.
@Sufuurin If by 'literally adds' you mean 'doesn't literally add' then you're correct. Emojis are utf-8 which is used globally for international or symbolic characters. You're not adding code, you're adding an additional utf character. For example: 'dumbpost' or 'спешка б', is interpreted as the same length as '😀😃😄😁😆😅😂🍆'
Cool story about password max length: I used a bank once which was later acquired by another bank. During account migration, maximum length was reduced significantly, so my 32 symbols password no longer worked and I couldn't figure why for a long time.
My passwords consist of 2 parts: 1st part is a random string of letters, numbers and symbols that is always the same, and part 2 is again entirely random, but also different for each service i use. I have memorized part one since each of my passwords use it but when it comes to part 2 i have them written on a paper but because my passwords consist of two parts even if by some miracle my sheet with passwords got somehow stolen these codes would be useless without part 1 which is only in my memory and nowhere else.
I just use a random password generator and save it in a text message I send to my dumb phone. All of my passwords I think were randomly generated. Because
8:12 One point to make here. This length checked will be done on the server before the password is hashed. The server could take a 100 chrs password but only hash the first 20chrs
So essentially the chars after 20 dont matter except to the unknowing user and hacker? Though a hacker could test it by making the longest acceptable password and then changing the last character… the probably would never use a “hash only the middle or last X characters” type of thing since a normal user will notice and assume the site is messed up and complain.
It is most likely due to that sort of things, which in and off itself is a BIG red flag though, as it means they are not sterilizing the input well enough, if they are afraid of that kind of things. Before the password gets handles any basic code should basically be told that what is coming here is in no way, shape or form something that is code related, it is purely a possible password input to be checked with/stored in the database
@@weakspirit_ Yeah, it is kinda a funny one, since at first glance it doesn't seem that bad: "it is just a single excluded character, sure the more possible characters the better, but surely one character can't be that bad". It is when you know the reason behind the requirement you see exactly why it is indeed VERY bad
One of my emails (spam riddled thanks to my goal to sign up for every website I come across when I was 12) is all lowercase and less than the min required. Never had a breach
If this is actually true, you just gave any hacker wanting to target you a LOT of information cutting down the actual options a LOT (and sprinkling in random numbers and symbols, is not really gonna do much, as any hacker with just a bit of experience will be checking for such very things in a relative short amount of time, and since you already told the source of the meat of your passwords, and the lower the list of possible "meat" for the password, the less options there is to sprinkle in those random bits, you narrowed it down a LOT for them)
Consider that a high end graphics card can search more than 30 billions of passwords per second and a PC can have 4 graphics card. At least 64 bits should be used.
@@rj7250a Plus you don't know what the g low bois have, a PC with 4 GPUs is really at the low end. Plus technology advances in an exponential manner which makes passwords significantly weaker over time. There's room for more entropy in my opinion.
@@smiley_1000 many, many websites totally ban special characters at the beginning and end of passwords. Methinks they're afraid they aren't sterilizing everything correctly.
Limits for passwords ironically serve as a table to help break passwords. General rule of thumb is 15 characters minimum and some type of variation that isn't a pattern. At the end of the day at 15 characters it's still going to take someone a long fucking time to break it unless they know specifically how you created your password. If a nation state actor targets you, you're fucked anyway so it doesn't matter the length or complexity. The biggest limit to breaking someone's password is the amount of computing power you have at your disposal. It's why certain three letter agencies couldn't give a fuck about complexity as to them it's just a matter of time. For regular people 15+ is fine as most people that try to break into accounts use dictionary attacks with tables, so unless you're stupid enough to make your password something common you're fine.
@@thetruegoldenknight it's an automated system, you only are prioritized when you meet a certain threshold. For security specialists the entire point of constantly pushing the boundaries for complexity and randomization is to be ahead of ANY entity that actively tried to decrypt or reverse security methods.
Agreed on password managers. Using a password manager is becoming more important now more than ever. After I started using bitwarden, I started using 16 characters or more for my password (autogenerated). And my master password is a long nonsensical sentence with a mix of words from multiple language since I’m a trilingual and numbers mixed in.
For xmas, a family member asked me for a chromebook. They said a financial guru suggested a chromebook, that was solely used for bank and brokerage accounts, was the best way to protect access to these accounts against hackers. How do you feel about a chromebook that after initial setup, only visits a bank and brokerage website? If you were to strip down a Linux os for the pi to serve this purpose, where would you start?
well, to be hones, having any device whose sole use is to access critical sensitive accounts is a great idea(as long as you use a totally different password from any other account)
An easy way to tell if a site does not hash their passwords is to click the forgot password link and see if they email you your password. I had a site do this to me and sent them a scathing email criticizing their security, explaining in detail how the database could get leaked and expose everyone's passwords, explaining what hashing is and how it fits into the auth pipeline, etc. They responded and actually fixed their password system over the next week.
I still remembered this one guy at internet cafe, his facebook password was "asd" and the rest was just him slamming his hand on the keyboard while swiping his hand on it, left to right.
When I try to find out the password rules of a page I just try to make a new account and in the password field I just write "a". It will give a list of things your password is missing.
The most secure password is one made up of just obscure Greek characters, combined with characters from other languages like Hindi, and is the length of the Bee movie script.
I use the Correct Horse Battery Staple method, but I don't reuse them. I have a little book full of my passwords. The book itself is written in code because I was a big fan of spy fiction when I was in elementary school
Oh yeah? I got bored one day and not only encoded my passwords, I also did basic encryption on them. (Not very strong encryption, but I did the math by hand, so cut me some slack here.)
@@MiguelAngel-fw4sk i used pen and paper, but then its just, super inconvenient. with a password manager i can just make 40 character long randomly generated passwords that are more sexure + they just autofill. on paper, i still had to keep the passwords simple enough + i'd have to have it on me if i wanted to log in to something. If you only had 5 accounts you could remember your passwords, but i have dozens, you just can't remember it.
If you don't trust a password manager you can anyday fork or look at the code of the command password manager called "pass" that's the most barebone as you can get a GNU password manager is a must if you don't want to get comprimised and Luke Smith also uses pass: th-cam.com/video/sVkURNfxPd4/w-d-xo.html
that's why luke smith doesn't use a password manager. he has his own password naming convention that he has yet to share with us. he remembers all of his passwords.
just use a random string generator and generate 1,000-16,000 characters of random unicode characters from a set that contains every single unicode character. i got 94,000 bits of entropy on a 15k char password with a set of only 272 chars
I wish that more password generators had a feature where they generate a dictionary password and a random char password and then weave them together so that a dictionary attack will always fail since you don't know where the random chars are.
I like to make my own passwords that are 24 to 36 long.. a tip I would recommend is when making up phrase based passwords purposely misspell words and I don't mean the known way like instead of using golden you put g0ld3n .. instead, do it like this golden= x~ld`n .... make a key so each vowel equals a certain symbol or value and then instead of using the normal "leet speak" just put random letters in place of other letters.. and always use a password manager and always use 2fa when available as outlaw said.
Also, if you are bilingual it should come natural to mix languages, even if not learn a few words of a random language and plug that in the way you said.
I keep seeing the "use two-factor authentication" thing. And I am not impressed. Anything that is not a password can be stolen or spoofed. To take a common example of sending a one-time code to your phone: An attacker uses social engineering to transfer your number to his device. Now you can't get into your accounts. I have asked various people who say to use two-factor authentication why this is a good thing. And I am always met with dead silence. It's like they hope my question will go away.
Pro tip: I like to come up with a memorable word or phrase and then encode it to base 64. Easy strong password. Either that or just auto generate something.
A lot of website will accept long password but will reduce them, meaning they cut a certain amount of characters, reducing entropy, without telling you. Make sure your passwords are strong from beginning to end.
In addition to that, some website will outright put password as *blank* if you happen to use non-unicode character (like ASCII), that would be because they are built on legacy systems
My bank told me my online pin had to be atleast 6 numbers, just numbers. I obviously used a longer pin, but later found out, that the pin gets cut at 6 characters. So my pin is literally 6 digits. I do not approve.
Most banks won’t even let you have more than a 4 digit pin, but that’s okay because to be able to use a cards pin you need to physically have the card, or the phone linked to it, also most banks will lock the account after +-3 attempts
@@Optropicraft well, technically, you'd be sharing a strongly encrypted database. It's just that it could be a pain in the ass to set up, even if you have something like a personal VPS
I think having a ridiculously difficult password is great! If you have near perfect memory, and only need it for one site. And aren't worried about data leaks
Thanks for bringing up the point about the password manager. I use a cloud based one now and I plan to switch away from it soon. I also got a proton mail since I was getting an all new setup and I wanted a strong password for it.
How would you approach a company and request them to change their login methods? I know a certain website that accepts only numeric passwords with the only validation being > 0. Also, because they store it as long (probably without hashing) it caps at 19 characters.
White frankly if you have a real suspicion they are storing passwords without hashing (ie in plain text), jsut ask them to delete your account, and never use them again, as they clearly don't even start to understand WTF they are doing, and that part is probably not the only thing they are then doing horribly wrong as well
In addition to the answer of John Roland Roger von Habsburg-Jagiellon-Romanov: If it's an European based Company be sure that local authorities know about it. According to the GDPR, companies are obliged to report data theft within 72 hours. If they don't do that, and the theft becomes known, the authorities can impose a fine. Unfortunately, companies are very resistant to learning. The only way to change there behavioer is through payn. 😉
@@killertigergaming6762 As long as it is a NEW, and now your old one, and you are forced to pick a new password when you use it, it is not really an issue (and preferably the one you send you are also time limited to expire, fi you dont use it within a fair timeframe (a few hours at most). But yes if they send you the password YOU picked, they either stored it in plain text, or onyl encrypted (and well encryption by their nature, are designed to be reversable (even if it requires a certain "key" to do so), and as such is only barely better than plain text, and certainly WAY below acceptable bar), or they don't force you to pick a new password, then yes it would be a HUGE issue
My issues with password managers is "What do you do if you lose everything?". House fire, your power supply explodes, phone gets stolen. I still use them, but I'd never use their hash generation for this reason. If my key file gets lost, so do all the accounts.
When designing a password, I have three criterion for password. 1. Entropy, the most important criterion as it affects safety 2. Ease of recall: A password that is hard to recall just makes my life miserable 3. Ease of typing: I don't want to spend a minute typing passwords Based on that, I decided to have a random 16-character lowercase+digit (no symbols, no capitals). The reason: 1. The entropy is around 82.7 bits, which is good enough. No symbols (except probably ') and capitals needed because if I really needed more entropy, I can just add letters, which affects entropy linearly, unlike the number of characters that is only logarithmically 2. It's actually surprisingly easy to recall. I just have to try to sound my password, and I already got much of the password remembered in a first go. You just have to add some repetition, and you can now remember the whole password. More reason to exclude capitals and symbols except ', because you can't sound it, and the only reason you can sound ' is because it's a common letter for a glottal stop, a phoneme that exists in my native language but not English 3. The reason I don't like Diceware is the password is so damn long. Sure it may be easier to remember, but it would take me a minute to fully enter the password each time. But password design is completely personal. What is easy for me is not easy for you. For example, I can sound ', but you may not be able to. As a conlanger, I can confortably pronounce a word with complex consonant cluster like bgtarpks, but for most people, it's unpronounceable. So I recommend you to try various strategies and pick the one you're most comfortable with.
I get why you want to use a offline password manager. But the problem is, most people have more than one device where they need their passwords. Synchronizing your passwords between your devices quickly becomes a hassle. I have not found any good solutions other than an online password manager.
I went without a password manager for longer than I care to admit. I wanted to pick a password manager that would allow me to retain as much technological independence as possible. I eventually went with pass. It's nice because I don't need to rely on any outside infrastructure. The only thing I entrust to a company is the geospatial diversity of where my passwords are hosted. I should never need to use that though as long as all of my technology isn't simultaneously wiped off the face of the earth.
The fundamental problem with that computerphile video, is that they misunderstand the xkcd comic. The entropy they calculate is already assuming an attacker has full knowledge on how the password was created. There is 44 bits of entropy. This only goes up the less the attacker knows about how you created the password. It is very important that you make this assumption when making a password. Only caluclate the entropy based on full knowledge. Then you are preparing for the worst case scenario and not relying on security through obscurity.
Virgin Media in the UK restricts (or at least, used to restrict) password lengths to 10 characters, without allowing special characters. Then they asked me to read my password over the phone when setting up internet in a new house.
Also by having these arbitrary requiements, it makes every password less secure since you know any given password you're trying to crack meets these requirements, so the pool of all possible passwords is much smaller.
The standard is usually set by websites (8 chars. Mix of symbols & numbers, etc.). I prefer passphrases, since they can be as unique as you can make them, and passphrases can't be guessed as easily as passwords.
That's what I'm thinking too, although about pass sentences. You'd think dictionary attacks would be slightly less effective against them as they're not just random words in simple present tense. Unless you are for some reason the specific target (in which case social engineering would be much more effective anyway) a pass phrase or pass sentence should be good enough, shouldn't it?
I think 32 or 64 would be a reasonable password length limit as these would also satisfy AES-128 or AES-256 (assuming 8 bits per character). So a password of 32 characters should be safe as long as AES-128 is considered safe. And it is.
Pro tip: For sites, where you don't *care* if you get hacked, you can just use the same short password everywhere. Got your reddit account stolen? Tragedy! It'll take 10 whole minutes to set up a new one!
Do you think introducing the name(or something else that's related) of the service into one of a few passwords which are of acceptable length (12+) be an okay way to let "average" people use "better" passwords without needing to remember too many? While it can be predicted if it's known they do that it makes bruteforcing more difficult so long no one makes the connection(i.e if multiple leaks show passwords linked to same mail that exhibit this pattern)
That's more or less what I've been doing. I have a base password that I know, which uses lowercases and capitals, a few numbers and a few special characters. I just insert the first few letters of a website/service at some point in the password. It allows for different passwords on different websites but very easy to remember. That way if one of your passwords is pawned somewhere it's very unlikely you can be hacked somewhere else. Of course, you should probably change your password once you realize that one of your accounts is pwned, but it gives some breathing room
A) Use a base password that you use for everything. Random noun, name of your first crush, whatever. B) Add in two numbers, and a special character that are always the same. C) Write the first five letters of the website you usually enter that password on. D) Come up with some sort of substitution cypher. Basically, a substitution cypher is one wherein you have a substitution for every letter in the alphabet. ie: change all "a"s to "x" and so on. Find some sort of pattern that works to you. Maybe you usually type via the three by three grid on phones held vertically (why?), or maybe you usually type everything on a keyboard so you move everything one column over, or maybe you have some sort of algorithm that makes sense to you. Type the next 4 letters of the website you were using in (C), or go back to the start of the word if the site's name is too short. You now have a very secure algorithm that's easily memorable, consistent, difficult to guess, reproducible if you don't remember it, and isn't immediately obvious if somebody finds your password in a database somewhere.
I have some accounts so old they have 6-7 digits and only in numbers. Considering now websites forces you to have more "secure" passwords, those legacy passwords actually seem more secure since hackers take on account those limitations.
The only reason I can think for low bounds is to blame IT admins. Guess they Don't want to have to unlock accounts constantly because people can't remember their 30 character passwords
I had a hacker friend in highschool with a photographic memory for words and numbers. He could recite pi to an extreme degree and had his Bitcoin keys memorized. That's when I realized the people who tell you "you can do anything if you try" are assholes and full of shit.
If I ever make a login system again, I'm gonna do several things: 1. Use SHA512 to hash passwords 2. Use nice big unique salts for every hashed password 3. Use RSA to encrypt everything in the database. Details like the username, email, etc. 4. Use 2FA 5. If possible, use and encourage users to use RSA public key authentication 6. When delivering the auth token, store information about the user like their IP address and verify this information every time the auth token is checked 7. Instead of password rules, they will be clearly marked as password _suggestions._ You can break the rules if you choose to. 1. Makes it harder for database leaks to give away passwords 2. Makes it harder to use a rainbow table 3. Makes it harder for database leaks to give away user information (they'd need the private key) 4. Adds an extra layer of authentication 5. Would hopefully replace passwords as the primary auth mechanism and password+2FA would only be used in the event that the user loses their private key 6. Makes cookie theft harder, because for starters, the bad actor would need to have their public IP be the same as the user that's currently logged in. If the IPs don't match, the auth token is thrown away and the user's logged out 7. Prevents password crackers from gaining an advantage
Wait wait? an actual true cideo on this topic? I totally went into this expecting to correct the video, as 99.99% of these types or videos are totally wrong (even if the intent are good most times). But yeah if you can remember your password, it is not strong enough yeah (and then use the effort needed to make that one strong password as the only one you can remember for your password manager, which is exactly what this video said. So Kudos to you for making an actual true video on this subject for once :)
What do you feel about self-hosted hosting? Like connecting to a raspberry pi you keep at home and syncing the password database once a day or something.
7:20 Nobody would not let the passwords unhashed. Except government sites of 3rd world countries, like in my country some government sites does not even have https, wich is a basic security feature, imagine using hashing. When there is hash, it is in MD5 or SHA-1, the latter you can crack in some weeks in a very powerful computer and the former can be cracked in seconds, only top government sites have secure hashes.
Not even third world my dude, even the CIA does shit like that, just some time ago someone managed to send emails through their official email because of a shenanigan of this type
What do you think about using foreign language in the password? I don't know what dictionary hacker use for brute force but definitely not some random languages from far east
Passwords are the most fundamentally important things we as humans have ranging from being able to log in to insta to being able to access your bank account But yet we just treat it so casually out of laziness and so companies(or even schools)that people work in... had to put expiry on passwords so you have to change it 😂😂😂
Wouldn't using an offline password manager with random passwords mean you'd have no way to access said passwords without access to said device? What if said device goes bust and you no longer have access to it?
You can always make backups of it on a flash drive or something and put it in a safe. Just make sure to make backups of it regularly. (i.e. when you change or add a new password)
*On some GNU/Linux user-friendly distros Linux is just a kernel and not all distros have to be bloat. Anyway, I think one can reach Pop OS or Mint team/community to talk about that. If I ain't wrong some distros do that already.
All of my passwords were generated using unique highly complex algorithms with quantum behaviors as random seeds all of which I created while I was blackout drunk in a classified location.
I then deleted these algorithms and smashed the sole device that ever held them with a sledgehammer, twice.
I then got blackout drunk again and buried the device’s remains somewhere that I do not know. Every time I recover the device, I hide it again using the same method.
Logging into things is a difficult and often harrowing procedure for me, but at least my 12 Robux are safe until someone breaches the servers.
Thanks for the laugh. I went and pictured someone actually doing the method you listed.
Holy shit man. Getting blackout drunk to protect your own passwords. Now that is on another level.
Lmao 😂
r/thatHappened
@@solar2655 You got me!
You made all this, but when you were drunk, you forgot that your password was set to "1234321", you really thought you were smart with the last '321'...
One time for a client we were doing pen testing for the network at the hospital. They always knew we were coming, but didn’t know when, and we never introduced ourselves until we were done so we could find weak points without the staff being on guard.
I walked in with my laptop and set down at the medical records desk, no one asked me a thing. After a few minutes I approached the lady at the desk and said “hey IT sent me over and said you guys were having some server issues, I just need your log in information so I can check your account on the server.”
No shit this girl wrote her information down and just handed it over without asking a single question. We had access to the network in under an hour.
Cool story bro
this is unfortunately super common. and I honestly couldn't tell you what talks or programs you need to implement into the workplace to get people to watch out for this shit, since all it takes is a single person to fall for a social engineering attack to compromise everything in your company.
Sounds too fake to be true...but I know it's true, because reality can be more stupid and fucked up than fiction or the dumbest conspiracy theories.
I had this client who used an ancient email service that was not encrypted.
@@icipher6730 considering people fall for almost identical scams in personal life too all the time no surprise companies fail in it too
I actually hate forcing the user to choose a secure password. Telling them feedback how secure it is is fine, but it should be up to the user how important the account is. Sitting there figuring out a secure password you'll never remember just to download some basic thing or set up a subscription encourages people to re-use more secure passwords they use on other sites and then that's where their secure passwords get leaked from.
Any kind of password limitations will just help hackers in the long run
Dont allow word list passwords would be good tho
Not to mention the password can be the most secure password in the universe with an entropy value that approaches infinity, but when the company inevitably gets hacked it won't have mattered even in the slightest.
I think part of it is just gaslighting users who wouldn't know better, which isn't great ethically.
Also different user has a different conception on what password is ideal (well entropy is one of the objective condition, but the rest of the condition is subjective)
I would hate to include symbols and capital letters on my password and I already know my password is secure because I have calculated the entropy, and I have generated it using a password manager. My password does not need to be strengthened by capitals
Yet its you responsible for your users not to get hacked
Dictionary attacks become much more difficult once you start using words from multiple languages. "correct horse battery staple" is suddenly a pretty good password if the words are in Navajo, Polish, Japanese and Hungarian.
Then throw in some acronyms and character substitutes along with random characters sprinkled throughout to be extra _salty_ just in case.
Pun intended.
And then after I write word in Polish site says "you can't write special characters" where I use letter ń
@@janekk8833 I wish more sites would permit special characters in passwords. They need to seriously get with the times.
@@bina7513 word i wanna put emojis in my passwords
I invented a few words in my own language, and put two in my passwords each.
everybody knows that you should always use "password" as your password
Only if you spell it with leet speak sideways.
y e s
Make it longer. Have you considered passwordpassword?
yeah it literally already tells you how to type it
I hope you use a good salt like 1 or maybe even 2 if you’re paranoid stick the sticky note on the back of the monitor instead of the front for maximum security hardening also don’t forget to get your nordVPN subscription
My passwords are so secure that even I don't know half of them.
Unironically the right way of doing it
So how do you log in to websites? Or do you stay allways logged?
You shouldn't know any of them honestly.
Haha I only know about 5% of my passwords
@@krystiandzik9886 password managers probably
I love to see "%" symbols being declined for passwords; it means the chances of SQL injection are very high.
That character is a wildcard in SQL query strings, and banning it suggests your password gets passed to SQL in an unsafe manner.
At that point they're just begging for it.
hash the password client side and theres no issue using very long passwords and you can use all unicode characters
@@rainbowskeppy5292 that would give attackers a piece of info that they can use to prepare a table of hashes alongside the corresponding input strings. This would give them a time advantage for when they compromise the database and only have a short time-window to exploit their access before getting caught.
Also, always have a comma in there so that when a site leaks your password, it screws up the csv your password gets dumped into.
Big if true.
damn, big brain
preferably, type a
to mess it even more
Can you explain
@@juanpls3856 if it works, the csv (file where all the passwords are hopefully stored for use) would interpret it as an indicator to move on to the next username/password combination. This would mean that if it works, either
a) your password will only be registered as a part of your actual password
b) it misaligns the way the program scans through the file, protecting everyone's password that comes later in the file
or c) best case scenario, it somehow screws up the csv so bad that it is completely unreadable.
The problem, of course, is that actual websites might not be able to handle it.
Honestly, as long as you're not reusing passwords and avoid the top 500 most common, you should generally be fine. I think more responsibility should be heeped onto servers for failing to properly store user data.
We can blame servers.... But at the same time we also have a responsibility of protecting ourselves...
We wouldn't have to even protect ourselves if there werent so many logins.
Øķ ¡ñþəřéß þįñğ
@@vaisakh_km did you not really read the comment, that's exactly what he said. Don't reuse and don't use common passwords, blame the server owners for their shitty datasec when it's a problem.
@@vaisakh_km wtf do u want us to do, unbreach the servers?
Password requirement sins: 1. Composition rules. 2. Regular password resets (security breach is the only acceptable reason for a forced password reset). 3. Maximum password length (if less than 64 characters).
The bigger the company, the more likely they are to commit one of these sins that is actively recommended against by NIST.
"2. Regular password resets"
I HATE it when they make me change my password every couple of months. I already went through the trouble of memorizing a good password that I don't use anywhere else, so why do I need to change it? I usually just try to change one character. Can't be bothered. Life too short.
The regular password reset is one of those things that are good in theory, as any password someone got unauthorized access to would only last for so long. But yeah the problem is that have the tendency to make ppl make weak passwords, and then just slightly alter it. If people adhered to what this video said every time it would actually be ideal, but we don't live in an ideal world, so is generally a bad requirement yes
@@robertjenkins6132 "memorizing a good password" That there is an oxymoron. A good password is one you can't memorise, but have been auto-generated in your password manager. The ONLY exception to this is the password for your password manager, as this very video said, since... well it doesn't help much to store your password managers password in itself :P And if you do it like that it is just the click of a button in your manager to get a new one to change it to. (Though as I said in my other reply in this thread, due to this very behavior you show here I do believe it to be a bad requirement, but if everyone did passwords right, it is a very good requirement actually)
the regular password resets are absolutely retarded. they lead to people writing down their passwords insecurely after a few resets, which i've seen done so many times at my job, and they turn corporate cybersecurity, something that could lead to billions of dollars of damages if something went very wrong, into a nuisance that people just want to get out of the way as fast as possible.
also passwords prohibiting dictionary words is an awful idea too. your average joe isn't going to want to remember 328g90aH2daf23 just to log into their work computer, and since they can't type in something relatively secure and easy to remember with maybe 3 words and some numbers, they'll end up just going for something absolutely retarded like their initials and date of birth.
That's not true. I wrote a script to generate passwords using randomly rotating charactersets, some of which the characters are whole words from different eff wordlists used in dice password generators. For Wi-Fi passphrases I usually have the full 63 character password memorized by the time I'm done updating all the devices on my home Wi-Fi network. But it would still take centuries to crack.
Isn’t the biggest obstacle for password cracking that you can’t just spam a site or login service with millions of passwords without getting shut out? So brute forcing works if you get something offline to work with, but not really on online user accounts. The biggest threat there is someone hacking the site and leaking stuff.
bypass'able due to most websites block the IP u are making the request from not the machine itself
@@ZoReeXHD even if they never ban you, each request takes a significant amount of time
@George Soros So they just measure response time instead of waiting for a response from the server?
lmfao you guys don't know shit. cracking happens after a leak, bruteforcing through a sites login page is completely not feasible
@George Soros If the server security is crappy enough; why don't you just use something better than attempting to brute-force someone's password.
13:35
“And you’ll be able to sleep easy at night”
I wish. Now I worry about the catastrophic consequences of someone getting access to my master password. Granted 2FA eases that fear slightly, instead making me fear what can happen if my 2FA device is stolen or just breaks.
It never ends.
I don't know how zxcvbn copes with emoji but at least when tested with a relatively short password adding one or more emoji caused the estimated brute force times to shoot through the roof. I don't know if using emoji is practical at the moment but at least it would be interesting option for password manager managed logins which allow it.
Anti Brute force and dictionary Password : 変態のHackers
Haha, password cracking only applies to English.
Mga bobo pa nga ang mga hackers eh!
IDK how many sites even allow you to go outside standard ASCII for the passwords, nevermind using emojis instead
@Sufuurin If by 'literally adds' you mean 'doesn't literally add' then you're correct. Emojis are utf-8 which is used globally for international or symbolic characters. You're not adding code, you're adding an additional utf character.
For example: 'dumbpost' or 'спешка б', is interpreted as the same length as '😀😃😄😁😆😅😂🍆'
@Sufuurin that definitely is not what you meant.
@@iusegentoobtw aren't emojis utf-16? not the html ones, but things like different races emojis, different sex emojis and things like that
Cool story about password max length: I used a bank once which was later acquired by another bank.
During account migration, maximum length was reduced significantly, so my 32 symbols password no longer worked and I couldn't figure why for a long time.
Wow that is a cool story!
It's evolving! Just backwards-
so this probably means they're storing your password in plaintext
@@99temporal Not really. Most likely they just truncate the password before hashing.
I think I know which bank you are referring to.
My passwords consist of 2 parts: 1st part is a random string of letters, numbers and symbols that is always the same, and part 2 is again entirely random, but also different for each service i use. I have memorized part one since each of my passwords use it but when it comes to part 2 i have them written on a paper but because my passwords consist of two parts even if by some miracle my sheet with passwords got somehow stolen these codes would be useless without part 1 which is only in my memory and nowhere else.
I just use a random password generator and save it in a text message I send to my dumb phone.
All of my passwords I think were randomly generated. Because
Imagine getting early onset Alzheimers and now you're fucked
okay that's actually a really good one, I might start using this method
many thanks
@Mialisus lmao sounds like a Bateman meme, nice
Thnx so much, you're a genius. I will start using this method.
8:12 One point to make here. This length checked will be done on the server before the password is hashed.
The server could take a 100 chrs password but only hash the first 20chrs
So essentially the chars after 20 dont matter except to the unknowing user and hacker? Though a hacker could test it by making the longest acceptable password and then changing the last character… the probably would never use a “hash only the middle or last X characters” type of thing since a normal user will notice and assume the site is messed up and complain.
6:15 Is that because of some SQL injections? Why wouldn't they allow you to use the "%" signs?
printf, url-encoding
(Both should not be near passwords)
It is most likely due to that sort of things, which in and off itself is a BIG red flag though, as it means they are not sterilizing the input well enough, if they are afraid of that kind of things. Before the password gets handles any basic code should basically be told that what is coming here is in no way, shape or form something that is code related, it is purely a possible password input to be checked with/stored in the database
@@weakspirit_ Yeah, it is kinda a funny one, since at first glance it doesn't seem that bad: "it is just a single excluded character, sure the more possible characters the better, but surely one character can't be that bad". It is when you know the reason behind the requirement you see exactly why it is indeed VERY bad
@@weakspirit_ my stomach literally dropped when I read this comment, lmao! The ways I've seen excel abused...
The best password is when your password is less than the character minimum requirement since you never updated it 😂
One of my emails (spam riddled thanks to my goal to sign up for every website I come across when I was 12) is all lowercase and less than the min required. Never had a breach
My passwords are just random excerpts from the uncle Ted's manifesto or Hoppe's books with random numbers and with symbols sprinkled throughout
If this is actually true, you just gave any hacker wanting to target you a LOT of information cutting down the actual options a LOT (and sprinkling in random numbers and symbols, is not really gonna do much, as any hacker with just a bit of experience will be checking for such very things in a relative short amount of time, and since you already told the source of the meat of your passwords, and the lower the list of possible "meat" for the password, the less options there is to sprinkle in those random bits, you narrowed it down a LOT for them)
@@GummieI Please go back to reddit.
@@NumeroPerdido shut up
I use catcher in the rye.
@@GummieI bruh the stuff in your parenthesis are longer than the actual sentence itself
2^32 would be 4.2 billion, 2^33 would be double that, etc. so 2^53 is much more than billions even with the birthday paradox
Consider that a high end graphics card can search more than 30 billions of passwords per second and a PC can have 4 graphics card.
At least 64 bits should be used.
@@rj7250a Plus you don't know what the g low bois have, a PC with 4 GPUs is really at the low end. Plus technology advances in an exponential manner which makes passwords significantly weaker over time. There's room for more entropy in my opinion.
wtf does that even mean lmao there are no birthdays
The best password is "incorrect." That way if you type it wrong, most apps and sites will tell you, "The password you entered is incorrect."
Put a space at the end of your password so that the Hacker will get frustrated trying to enter it
@@smiley_1000 many, many websites totally ban special characters at the beginning and end of passwords. Methinks they're afraid they aren't sterilizing everything correctly.
Big brain over here
Problem: Other languages being used by the attackers or apps
@@flyingstonemon3564 New password: "Incorrecto"
all my friend [REDACTED]'s passwords are just his username spelled backwards... king shit
what's your friend's name?
I took a King Shit
@Tungsten Dioxide the reversed brackets confuse and anger me
Limits for passwords ironically serve as a table to help break passwords. General rule of thumb is 15 characters minimum and some type of variation that isn't a pattern.
At the end of the day at 15 characters it's still going to take someone a long fucking time to break it unless they know specifically how you created your password. If a nation state actor targets you, you're fucked anyway so it doesn't matter the length or complexity. The biggest limit to breaking someone's password is the amount of computing power you have at your disposal. It's why certain three letter agencies couldn't give a fuck about complexity as to them it's just a matter of time. For regular people 15+ is fine as most people that try to break into accounts use dictionary attacks with tables, so unless you're stupid enough to make your password something common you're fine.
I absolutely know of those "three letter agencies". And let's just say I'm beneath their notice, so I'm not worried.
@@thetruegoldenknight it's an automated system, you only are prioritized when you meet a certain threshold. For security specialists the entire point of constantly pushing the boundaries for complexity and randomization is to be ahead of ANY entity that actively tried to decrypt or reverse security methods.
There is another meme from xkcd where they have to choose from cracking the super complicated password or use a 5$ wrench.
@Nobody You don't get it. You hit the password owner with the wrench until they tell you. Or get them drunk and ask them the password. Or both.
In Russia this method called "Thermorectal cryptanalysis"
It's called rubber-hose cryptanalysis.
You know it’s strong when you can’t even remember the password
@Nobody lmao
@SoulStacker that's the point he can't remember himself.
I change my passwords every week and ensure they are all very strong. Mostly because I forget all of them
This is no longer recommended.
@@binarycat1237 Y
You're allowed to laugh, guys!
@@binarycat1237 Can you develop? Personally I don't change my passwords (except bad ones or Epik one lol) but I thought it'd be more secure.
@@binarycat1237 What happened?
Agreed on password managers. Using a password manager is becoming more important now more than ever. After I started using bitwarden, I started using 16 characters or more for my password (autogenerated). And my master password is a long nonsensical sentence with a mix of words from multiple language since I’m a trilingual and numbers mixed in.
For xmas, a family member asked me for a chromebook. They said a financial guru suggested a chromebook, that was solely used for bank and brokerage accounts, was the best way to protect access to these accounts against hackers. How do you feel about a chromebook that after initial setup, only visits a bank and brokerage website?
If you were to strip down a Linux os for the pi to serve this purpose, where would you start?
well, to be hones, having any device whose sole use is to access critical sensitive accounts is a great idea(as long as you use a totally different password from any other account)
4:41 one of the many reasons i love your work. God bless you bro
i know this isnt a linux related video, but thx to ur content you have convinced to switch to linux mint, and now i am a proud linux user
An easy way to tell if a site does not hash their passwords is to click the forgot password link and see if they email you your password. I had a site do this to me and sent them a scathing email criticizing their security, explaining in detail how the database could get leaked and expose everyone's passwords, explaining what hashing is and how it fits into the auth pipeline, etc. They responded and actually fixed their password system over the next week.
I still remembered this one guy at internet cafe, his facebook password was "asd" and the rest was just him slamming his hand on the keyboard while swiping his hand on it, left to right.
It would also be nice to have a copy of the password rules on the login page, so I can remember which rules I used when I created the password
When I try to find out the password rules of a page I just try to make a new account and in the password field I just write "a". It will give a list of things your password is missing.
The most secure password is one made up of just obscure Greek characters, combined with characters from other languages like Hindi, and is the length of the Bee movie script.
just run the bee movie script through a digital replica of the enigma machine
I use the Correct Horse Battery Staple method, but I don't reuse them. I have a little book full of my passwords.
The book itself is written in code because I was a big fan of spy fiction when I was in elementary school
Extremely cool
Oh yeah? I got bored one day and not only encoded my passwords, I also did basic encryption on them. (Not very strong encryption, but I did the math by hand, so cut me some slack here.)
Wouldn't "Password Managers" go contrary to Luke Smith's philosophy that "You shouldn't rely important stuff on technology more than you really need"?
Use a text file lol
Or a pen and paper
@@MiguelAngel-fw4sk i used pen and paper, but then its just, super inconvenient. with a password manager i can just make 40 character long randomly generated passwords that are more sexure + they just autofill. on paper, i still had to keep the passwords simple enough + i'd have to have it on me if i wanted to log in to something. If you only had 5 accounts you could remember your passwords, but i have dozens, you just can't remember it.
If you don't trust a password manager you can anyday fork or look at the code of the command password manager called "pass" that's the most barebone as you can get
a GNU password manager is a must if you don't want to get comprimised and Luke Smith also uses pass: th-cam.com/video/sVkURNfxPd4/w-d-xo.html
that's why luke smith doesn't use a password manager. he has his own password naming convention that he has yet to share with us. he remembers all of his passwords.
6:58 if an emoji is one character or more characters depends on how the server is set up (most of the time if unsupported longer than a character)
By the way, using Cyrillic symbols in your password is very strong as they take two bytes each
just use a random string generator and generate 1,000-16,000 characters of random unicode characters from a set that contains every single unicode character.
i got 94,000 bits of entropy on a 15k char password with a set of only 272 chars
@@the_egg_ ok
@@kiwi_2_official sometimes that creates issues because and will make the password shorter because the characters take more bits in sql
@@24hhhhours ye
I wish that more password generators had a feature where they generate a dictionary password and a random char password and then weave them together so that a dictionary attack will always fail since you don't know where the random chars are.
I like to make my own passwords that are 24 to 36 long.. a tip I would recommend is when making up phrase based passwords purposely misspell words and I don't mean the known way like instead of using golden you put g0ld3n .. instead, do it like this golden= x~ld`n .... make a key so each vowel equals a certain symbol or value and then instead of using the normal "leet speak" just put random letters in place of other letters.. and always use a password manager and always use 2fa when available as outlaw said.
Also, if you are bilingual it should come natural to mix languages, even if not learn a few words of a random language and plug that in the way you said.
I keep seeing the "use two-factor authentication" thing. And I am not impressed. Anything that is not a password can be stolen or spoofed. To take a common example of sending a one-time code to your phone: An attacker uses social engineering to transfer your number to his device. Now you can't get into your accounts. I have asked various people who say to use two-factor authentication why this is a good thing. And I am always met with dead silence. It's like they hope my question will go away.
why so paranoid? As if anyone would even care enough to try to crack your password
@@AverageAlien lmao
@@AverageAlien glow
Pro tip: I like to come up with a memorable word or phrase and then encode it to base 64. Easy strong password.
Either that or just auto generate something.
A lot of website will accept long password but will reduce them, meaning they cut a certain amount of characters, reducing entropy, without telling you.
Make sure your passwords are strong from beginning to end.
In addition to that, some website will outright put password as *blank* if you happen to use non-unicode character (like ASCII), that would be because they are built on legacy systems
My bank told me my online pin had to be atleast 6 numbers, just numbers. I obviously used a longer pin, but later found out, that the pin gets cut at 6 characters. So my pin is literally 6 digits. I do not approve.
Most banks won’t even let you have more than a 4 digit pin, but that’s okay because to be able to use a cards pin you need to physically have the card, or the phone linked to it, also most banks will lock the account after +-3 attempts
You should do a video on syncing your offline password manager to other devices (cell/desktop), or why you shouldn't.
Is there a reason not to?
@@Optropicraft well, technically, you'd be sharing a strongly encrypted database.
It's just that it could be a pain in the ass to set up, even if you have something like a personal VPS
@UCOloOH-xvaDMXS-wLEX8BLA keep ass
@@em_the_bee YOU CHANGED IT GAHAHAHAHAH
never disappointed by the b roll for this channel
I think having a ridiculously difficult password is great! If you have near perfect memory, and only need it for one site. And aren't worried about data leaks
Thanks for bringing up the point about the password manager. I use a cloud based one now and I plan to switch away from it soon. I also got a proton mail since I was getting an all new setup and I wanted a strong password for it.
KeePass or Bitwarden.
I was just watching your old videos on passwords glad you released a new one.
i wanna flex my perfect password so badly
How would you approach a company and request them to change their login methods?
I know a certain website that accepts only numeric passwords with the only validation being > 0. Also, because they store it as long (probably without hashing) it caps at 19 characters.
The most effective way is always hacking them and sending them a full list of their customer data.
White frankly if you have a real suspicion they are storing passwords without hashing (ie in plain text), jsut ask them to delete your account, and never use them again, as they clearly don't even start to understand WTF they are doing, and that part is probably not the only thing they are then doing horribly wrong as well
In addition to the answer of John Roland Roger von Habsburg-Jagiellon-Romanov: If it's an European based Company be sure that local authorities know about it. According to the GDPR, companies are obliged to report data theft within 72 hours. If they don't do that, and the theft becomes known, the authorities can impose a fine.
Unfortunately, companies are very resistant to learning. The only way to change there behavioer is through payn. 😉
Reminds me of the time i tried to reset my password for a site and they just sent me a new password in plaintext through email
@@killertigergaming6762 As long as it is a NEW, and now your old one, and you are forced to pick a new password when you use it, it is not really an issue (and preferably the one you send you are also time limited to expire, fi you dont use it within a fair timeframe (a few hours at most). But yes if they send you the password YOU picked, they either stored it in plain text, or onyl encrypted (and well encryption by their nature, are designed to be reversable (even if it requires a certain "key" to do so), and as such is only barely better than plain text, and certainly WAY below acceptable bar), or they don't force you to pick a new password, then yes it would be a HUGE issue
I trust that dolphin. Dolphins are trustworthy and have been known to help shipwrecked sailors.
My issues with password managers is "What do you do if you lose everything?". House fire, your power supply explodes, phone gets stolen. I still use them, but I'd never use their hash generation for this reason. If my key file gets lost, so do all the accounts.
Backup or cloud based ones like Bitwarden with automated backups in the cloud.
Thanks for linking the bad password rules. Made my day.
When designing a password, I have three criterion for password.
1. Entropy, the most important criterion as it affects safety
2. Ease of recall: A password that is hard to recall just makes my life miserable
3. Ease of typing: I don't want to spend a minute typing passwords
Based on that, I decided to have a random 16-character lowercase+digit (no symbols, no capitals). The reason:
1. The entropy is around 82.7 bits, which is good enough. No symbols (except probably ') and capitals needed because if I really needed more entropy, I can just add letters, which affects entropy linearly, unlike the number of characters that is only logarithmically
2. It's actually surprisingly easy to recall. I just have to try to sound my password, and I already got much of the password remembered in a first go. You just have to add some repetition, and you can now remember the whole password. More reason to exclude capitals and symbols except ', because you can't sound it, and the only reason you can sound ' is because it's a common letter for a glottal stop, a phoneme that exists in my native language but not English
3. The reason I don't like Diceware is the password is so damn long. Sure it may be easier to remember, but it would take me a minute to fully enter the password each time.
But password design is completely personal. What is easy for me is not easy for you. For example, I can sound ', but you may not be able to. As a conlanger, I can confortably pronounce a word with complex consonant cluster like bgtarpks, but for most people, it's unpronounceable. So I recommend you to try various strategies and pick the one you're most comfortable with.
I get why you want to use a offline password manager. But the problem is, most people have more than one device where they need their passwords. Synchronizing your passwords between your devices quickly becomes a hassle. I have not found any good solutions other than an online password manager.
Maybe offline password manager + synching?
@@tublyaat270 Syncthing works amazing. Until you try to sync files bidirectionally.
basic 8 character passwords should be fine with the help of hashing, salts and peppers, but it's 2021 and yet here we are
The only password manager is a yellow sticky note with your password written on it,, stuck to the bottom of your keyboard ..
I went without a password manager for longer than I care to admit. I wanted to pick a password manager that would allow me to retain as much technological independence as possible. I eventually went with pass. It's nice because I don't need to rely on any outside infrastructure. The only thing I entrust to a company is the geospatial diversity of where my passwords are hosted. I should never need to use that though as long as all of my technology isn't simultaneously wiped off the face of the earth.
Immediately recognized the thumbnail passwords from an XKCD comic!
same
Remember those stories about e-commerce services that stored all customers passwords as plain text on dropbox?
The fundamental problem with that computerphile video, is that they misunderstand the xkcd comic. The entropy they calculate is already assuming an attacker has full knowledge on how the password was created. There is 44 bits of entropy. This only goes up the less the attacker knows about how you created the password.
It is very important that you make this assumption when making a password. Only caluclate the entropy based on full knowledge. Then you are preparing for the worst case scenario and not relying on security through obscurity.
nice reference to the classic xkcd brother. real legend
16 random phrases with 6 digits 😳
You see, it all depends on what kind of stupid requirements the system demands of the password
“But what about a hacker who has their skillcape”
That’s brilliant
Virgin Media in the UK restricts (or at least, used to restrict) password lengths to 10 characters, without allowing special characters. Then they asked me to read my password over the phone when setting up internet in a new house.
I love having a long base password and just appending the website domain name at the end so that I have unique passwords for all websites
Also by having these arbitrary requiements, it makes every password less secure since you know any given password you're trying to crack meets these requirements, so the pool of all possible passwords is much smaller.
You are taking off! congrats!
The standard is usually set by websites (8 chars. Mix of symbols & numbers, etc.). I prefer passphrases, since they can be as unique as you can make them, and passphrases can't be guessed as easily as passwords.
That's what I'm thinking too, although about pass sentences. You'd think dictionary attacks would be slightly less effective against them as they're not just random words in simple present tense. Unless you are for some reason the specific target (in which case social engineering would be much more effective anyway) a pass phrase or pass sentence should be good enough, shouldn't it?
I think 32 or 64 would be a reasonable password length limit as these would also satisfy AES-128 or AES-256 (assuming 8 bits per character). So a password of 32 characters should be safe as long as AES-128 is considered safe. And it is.
The longer the password. The larger the character set. The harder it is for a computer to break it.
Future proof. Remember 64bit was considered secure decades ago. Now garbage
>5:46 These are services that secure very sensitive information
> sees Minecraft on the list
my man knows his priorities
Pro tip: For sites, where you don't *care* if you get hacked, you can just use the same short password everywhere. Got your reddit account stolen? Tragedy! It'll take 10 whole minutes to set up a new one!
Do you think introducing the name(or something else that's related) of the service into one of a few passwords which are of acceptable length (12+) be an okay way to let "average" people use "better" passwords without needing to remember too many?
While it can be predicted if it's known they do that it makes bruteforcing more difficult so long no one makes the connection(i.e if multiple leaks show passwords linked to same mail that exhibit this pattern)
That's more or less what I've been doing. I have a base password that I know, which uses lowercases and capitals, a few numbers and a few special characters. I just insert the first few letters of a website/service at some point in the password. It allows for different passwords on different websites but very easy to remember. That way if one of your passwords is pawned somewhere it's very unlikely you can be hacked somewhere else. Of course, you should probably change your password once you realize that one of your accounts is pwned, but it gives some breathing room
well I'm not the only one apparently
A) Use a base password that you use for everything. Random noun, name of your first crush, whatever.
B) Add in two numbers, and a special character that are always the same.
C) Write the first five letters of the website you usually enter that password on.
D) Come up with some sort of substitution cypher. Basically, a substitution cypher is one wherein you have a substitution for every letter in the alphabet. ie: change all "a"s to "x" and so on. Find some sort of pattern that works to you. Maybe you usually type via the three by three grid on phones held vertically (why?), or maybe you usually type everything on a keyboard so you move everything one column over, or maybe you have some sort of algorithm that makes sense to you. Type the next 4 letters of the website you were using in (C), or go back to the start of the word if the site's name is too short.
You now have a very secure algorithm that's easily memorable, consistent, difficult to guess, reproducible if you don't remember it, and isn't immediately obvious if somebody finds your password in a database somewhere.
I have some accounts so old they have 6-7 digits and only in numbers. Considering now websites forces you to have more "secure" passwords, those legacy passwords actually seem more secure since hackers take on account those limitations.
The only reason I can think for low bounds is to blame IT admins. Guess they Don't want to have to unlock accounts constantly because people can't remember their 30 character passwords
I had a hacker friend in highschool with a photographic memory for words and numbers. He could recite pi to an extreme degree and had his Bitcoin keys memorized. That's when I realized the people who tell you "you can do anything if you try" are assholes and full of shit.
If I ever make a login system again, I'm gonna do several things:
1. Use SHA512 to hash passwords
2. Use nice big unique salts for every hashed password
3. Use RSA to encrypt everything in the database. Details like the username, email, etc.
4. Use 2FA
5. If possible, use and encourage users to use RSA public key authentication
6. When delivering the auth token, store information about the user like their IP address and verify this information every time the auth token is checked
7. Instead of password rules, they will be clearly marked as password _suggestions._ You can break the rules if you choose to.
1. Makes it harder for database leaks to give away passwords
2. Makes it harder to use a rainbow table
3. Makes it harder for database leaks to give away user information (they'd need the private key)
4. Adds an extra layer of authentication
5. Would hopefully replace passwords as the primary auth mechanism and password+2FA would only be used in the event that the user loses their private key
6. Makes cookie theft harder, because for starters, the bad actor would need to have their public IP be the same as the user that's currently logged in. If the IPs don't match, the auth token is thrown away and the user's logged out
7. Prevents password crackers from gaining an advantage
Me: "Mmm ... how complicated should passwords really be?
Kenny: "Lets talk about entropy"
Wait wait? an actual true cideo on this topic? I totally went into this expecting to correct the video, as 99.99% of these types or videos are totally wrong (even if the intent are good most times). But yeah if you can remember your password, it is not strong enough yeah (and then use the effort needed to make that one strong password as the only one you can remember for your password manager, which is exactly what this video said. So Kudos to you for making an actual true video on this subject for once :)
If I’m reading the thumbnail correctly: I need to trade my passwords with a friend to evolve them.
What do you feel about self-hosted hosting? Like connecting to a raspberry pi you keep at home and syncing the password database once a day or something.
This video exceeded my expectations.
>makes strongest password ever
>site I use gets backdoored and user passwords get dumped
>*Reading Rainbow Da Da Da*
7:20 Nobody would not let the passwords unhashed.
Except government sites of 3rd world countries, like in my country some government sites does not even have https, wich is a basic security feature, imagine using hashing.
When there is hash, it is in MD5 or SHA-1, the latter you can crack in some weeks in a very powerful computer and the former can be cracked in seconds, only top government sites have secure hashes.
Not even third world my dude, even the CIA does shit like that, just some time ago someone managed to send emails through their official email because of a shenanigan of this type
7:48 "which obviously is something no one is able to remember"
Me: "One, seven, three, four, six, seven, three, two, one, four, seven, six, Charlie, three, two, seven, eight, nine, seven, seven, seven, six, four, three, Tango, seven, three, two, Victor, seven, three, one, one, seven, eight, eight, eight, seven, three, two, four, seven, six, seven, eight, nine, seven, six, four, three, seven, six. Lock."
Extra points if those aren't numbers
You know, back when I was in the academy, we would follow every toast with a song
On screen.
@@makelgrax th-cam.com/video/rERApU26PcA/w-d-xo.html 😛
@@georgewitt6591 I see you are a man of culture 😛 th-cam.com/video/bl5TUw7sUBs/w-d-xo.html
Nice write-up!
Would love to hear your thoughts / knowledge on how this fares vs approaches such as SSO or password-less Auth.
I think it depends on how much you care about your account.
What do you think about using foreign language in the password? I don't know what dictionary hacker use for brute force but definitely not some random languages from far east
fr stay on the grind
i'm a simple person
i recognise an xkcd reference in the thumbnail, i click
Passwords are the most fundamentally important things we as humans have ranging from being able to log in to insta to being able to access your bank account
But yet we just treat it so casually out of laziness and so companies(or even schools)that people work in... had to put expiry on passwords so you have to change it 😂😂😂
IMO forcing password expiration is worst thing to exist to enforce "security". It makes people use shorter passwords and thus many times less secure
looks like 37 bots down voted the video.... thanks again for the heads up on the dislike browser extension!
Wouldn't using an offline password manager with random passwords mean you'd have no way to access said passwords without access to said device? What if said device goes bust and you no longer have access to it?
You can always make backups of it on a flash drive or something and put it in a safe. Just make sure to make backups of it regularly. (i.e. when you change or add a new password)
Thanks! Very educational.
The video everyone should watch but nobody cares until it's too late, and I've seen many already
A single password, by itself, doesn't have any fixed entropy value. It depends on how it was generated
this entropy should be now added in linux passwd and also in gui when creating user account, especially at time on installation.
*On some GNU/Linux user-friendly distros
Linux is just a kernel and not all distros have to be bloat.
Anyway, I think one can reach Pop OS or Mint team/community to talk about that.
If I ain't wrong some distros do that already.
Thumbnail made me think this would be some gen 1 ACE video, dang.
👏🙂
Very interesting