Secure your business effortlessly with a 3-month NordPass trial! Use "todayifoundout’' activation code at nordpass.com/todayifoundout. Limited time offer!
I actually use NordPass, that I got from a discount provided by a blocke called Simon Whistler (Never heard of the guy or even saw anything from him), for almost a year and I have it on almost all my devices ( except work computers, because things...), they even have an app for Linux that works... My main issues so far seem to be that it doesn't seem to support changing the icon of an entry, with for example the website favicon, have custom fields, for things like recovery codes, in case I pair them with 2FA...
Here is an example of a real password: Hd3qgW!eB6t2sjh#$7hsX for less secure passwords. Add an additional 5 characters for financial passwords. Then memorize it. It takes a day or two to get it down, but it's a tried and true method. Totally at random. Also use two or three factor authentication if available. And you should only use systems that allow only 3 tries before a 24 lockout and IP dark listing for sources that fail more than 1 day in a row. And account lockout as well requiring a phone call and trouble ticket to resolve.
If you want to go crazy, just get a raspberry PI and add a keyboard for it with an extra USB port to send keystrokes to your PC (Windows will let you add many keyboards if you like). Then you just press a key on your password keyboard for the password you want. Build it yourself. It's a nice weekend project. Don't connect it to the network. lol And that's a non-secure keyboard. But no less secure than using your actual keyboard. You could get extra crazy and create a secure keyboard driver for Windows to ensure the USB keyboard inputs from your PI are encrypted and use secure strings in your code so keyboard capture is ineffective. But that's extra work. Probably overkill. Just don't use P@ssword1. lol There are many rabbit holes to writing your own encryption code, so it can be easy to overexpose yourself to hackers. Creating code from scratch and avoiding open source code is a great way to make systems with no external information about how they work. Very secure unless you happen to think up a new way that happens to be the way everyone else is actually doing it. Best to do some research first. And if you are really paranoid, don't use a PI but your own PCB and UART. But that's entirely for different reasons.
Also note that the windows message chain (while supposedly is secure) can be hacked so that even if you securely transfer keystroke characters to the message chain, once it gets there, it can be fairly easy to decipher your keystrokes. Just don't go to strange sites and click on everything you see and keep your windows defender up to date.
[UK] A bank where I worked decided there were too many internal forgotten password incidents and asked me to investigate. My findings: the average user had to remember 19 passwords just for normal office work, and change them every month. The number of reset requests averaged 1 per year per user or 1 / (19 * 12) = 1/228 passwords, each of which had all the silly mixed-case, numbers and 'special characters' mixed in. My recommendation - stop making people change their passwords so often and create a single log-in instead of per application. Their actions - not asking me for recommendations any more.
In 2004 my team got an industry award for our design of a single sign-on system we had implemented whereby all users (over 20k at the time) of all systems (around 16 different systems at the time) used a single ID and password to access all systems. Privileged accounts, for example, superuser/sysadmin accounts, were not part of it, and passwords were stored in a one-way hash. I left in 2005 so I don’t know if they are still using it or not, but while I was there it worked very well, no security breaches, and users loved it.
My small regional bank and small business employer agree with you. Passwords are only reset after a confirmed breech, character requirements are based on length, and SSO is enabled. There are few password reset requests as a result & people make better passwords.
I worked for a company that had a single login program that automatically logged you in your all the company password protected items. It was really nice.
My workplace eventually got single-sign-in working, mostly, still a few non-compliant systems, unfortunately. However, if you aren't using any of those systems for more than 20m then you are logged out and you need to log in again. So login, get some info, work with that info, go get some more info, re-login, repeat all f'g day long. It's gotten to the point that I don't read most company postings because it's never important enough for me to waste time logging in.
One problem with constantly changing passwords that you didn’t mention is that it makes people more likely to write their passwords down on something that is close to the computer. You would be surprised how many passwords you can harvest just by lifting up people’s keyboards at their work.
At least it isn't as bad as the Hawaii emergency broadcast people, who had it on a post it note on the monitor, when they got a picture taken that was shared across the country.....
While that is a problem... it is a much smaller problem than being remotely exploitable from Russia or whatever. Russian hackers cannot lift up the keyboard.
You're doing God's work with this video, Simon. Our industry has been railing against this nonsense for at least a decade and a half, yet processes continue to try and reinforce it. I once had a corporate customer perform a security audit on my application and they came back complaining that we were "not following NIST standards which require passwords to be reset on a regular basis." I sent them back a correction that, "NIST 2016 supersedes such recommendations with the updated recommendation to not change a password unless a password is breached." I then linked them to the NIST 2016 recommendations. Presumably this customer was sufficiently cowed by my response as they immediately shut up and succeeded our audit.
I so want to send this video to my company's IT dept. They recently changed it so we could not reuse passwords on our main system and so now everyone I know at work simply uses the same password they already were with an increasing number at the end. All they did was make our lives more difficult. Not secure the system any further. Especially not if one knows the timeframe when the change was implemented and the frequency with which we already had to change our passwords.
@@tyrannicpuppywhat you should send them is the NIST 2016 recommendations and ask why they're going out of their way to reduce security within the company.
While I'm entirely on your side here, do keep in mind that in some industries there are regulations that require outdated password policies. Like banking, for example.
@@JesseBayneI could be wrong, but I'm pretty sure the regulations point to industry standards as the thing that must be adhered to. For example, US Bank has an article on their website from July 05, 2023 that discusses the importance of adhering to the latest NIST standards.
The worst systems I have seen were ones where, if you guessed wrong too many times, would lock your account and require a password change. So you could have a great password that was doing its job, but, since it was actually keeping an attacker out, you'd be rewarded by having your account locked and then need to choose a different password. Brilliant!
My last job required a separate password for a website we used to log in absences, something you typically do every month or few months, but in general not something you log into daily or weekly. The password you set there would only be valid for 30 days, but also the system would require you to change your password if it was to expire in 30 days or less, so any password made there would only be valid for 1 login. After that your password was useless and you would have to enter a wrong password 3 times so that the system would send you a new temporary password, that you would then have to change for a new password that would also only work one time. It was easily the worst system I've ever seen.
@@OhMeGaGS My husband's job used to have a similar system (not the same numbers but functionally the same thing) for stuff you needed to do every few months at most, with the added bonus of having to call IT support for a new temp password instead of entering a wrong one. 🤗
Because... they are limiting the attempts to just 3 or 5 which stops the brute force method. If all that happened was an unlock, then they could continue trying to guess. There's better ways, but it's not illogical.
I've spent much of the last 25 years studying and working full time in password security. I have a postgraduate degree in security and have presented my password security research at Defcon. I definitely approve of this video. This video is mostly right on. To make a strong password you can type and remember, choose three random words like "Box,Lance,Flat". If you're required to change it - don't. ADD a word. By ADDING a word to the old password, you don't have to remember much new.
An old teacher of mine explained something similar to us back when I was in highschool. His suggestion was also to pick three random words, but he stressed that they should be relatively long and we should focus on making them something we thought was funny. Not a phrase or quote, just amusing (his example has stuck with me for over a decade: "Purplemonkeygrapefruit"). Then we should intentionally mis-spell one word in a random way that we could remember.
Great in theory, but many systems have requirements that include a maximum number of characters, typically 16 but at least one I deal with has a maximum allowed password length of 12 characters, so when adding words they have to be very short, and that also becomes unwieldy over time, for example one federal government system I have an account on requires a password change every six months, I’ve been using it since 2003, so using your technique my password would be over 40 words long.
@@Interrobang212 Yeah that's super annoying - and mostly proves that they are storing all the passwords themselves for hackers to get, rather than storing a derived value like they are supposed to.
@@jpe1 If you encounter a system that has a maximum length for a password, walk away. They're doing it so wrong, you just shouldn't trust them with anything.
I’ve always felt companies completely locking a person out after three mistakes was dumb, but adding time after each wrong guess, up to a day or so, is smart. A computer can guess a billion passwords a minute, but if the server only accepts one login attempt per minute, it will still take forever to crack a randomly generated password.
Passwords are almost never stolen that way. They get a hold of the PW database, which is encrypted, and run the guesswork on a copy of that database which takes any security gain from limiting number of PW entries useless. Brute force is made useless on website logins simply by delaying returning to the password entry screen. Someone getting your passwords but not knowing which website you use them on is the only scenario that limiting it to 3 mistakes would have effect on.
@@markc2643not anymore. Brute forcing was an approach used in the past, so limiting the attempts made sense. But you're absolutely right. These days attackers don't really care about your password as they generally look for security holes they can use as a backdoor to all the really juicy info.
@@markc2643 And yet somehow a 4 digit pin has protected my entire net worth for decades. So just saying that people "get hold of the PW database" which people always want to say should be followed up with "why the F is that happening?!" Banks have figured out how not to leak that sh**. Why can't everyone else?
There was a joke memo many years ago that listed a long list of rules for passwords that you could use. At the end of the memo, it stated that the math department has proven that there are only 7 passwords that meet all these requirements and users should see their supervisor to obtain one of those.
I've known about this for a while, and sharing this with people in the corporate setting is one of my favorite thing to do, because it always has the same reaction 1. No that can't be right 2. oh... wow... really interesting 3. well anyway we're not gonna change anything cause that's how we do it
Richard Stallman is a big advocate for openness in computing, he formed the Free Software Foundation which promotes software that has it's source code available for anyone to read and reuse. Well back in the 80s one day he way in a discussion forum and announced that he was such an advocate of openness that his account didn't even have a password. A few minutes later someone responded "it does now".
The requirement for many is 16 characters with a mix of upper and lower case characters, numbers and additional extra characters. That type of mix is extremely hard to break.
My employer requires us to use passwords and logins for everything (at one point they f'd up so bad that we had to log our password while changing pages in programs it was awful) despite some 98% of our work having no need to be password protected. I'd argue the only thing that does would be our personal finances. So from there, they make us change our password every 2 months. That means not a single one of us have good passwords. There's no excuse for it, either, because we have biometric scanner access, they just shut it down because they think our 💩 passwords are "more secure."
Yeah, I hate that - I have worked in market research and at one company I would get sent a ton of data, already fully anonymised, with the typical consumer questions all scaled 0-10, with 2 free text boxes. Like somehow "What did you think of the service, 0-10" or "Will you recommend us to your friends and family?" Like this data is private or has any great value. I just kept all the passwords on my desktop in a notepad file. Saved hours working there. I think that some people think that giving a file with a password with it somehow makes them feel like they are smart. It's just a pain in the bum.
My non-profit requires that we change our passwords every 3 months . Even worse, our remote clock in app requires us to get a passphrase via phone or text every 5 days. This is great if you are trying to clock in to work 💩💩💩
@@MonCappyI disagree, but I think employees can compromise by opting out by having to use an in-house password manager, being assigned a long, complex password and being tested to ensure they memorize it.
Meanwhile a major retailer in Sweden requires a 4 digit password for accounts on their website. And with some additional restrictions like forbidding consecutive increments/decraments, ie 1235 isn't valid. But strictly speaking, passwords benefit from length, far less so from special characters, or numbers, or other stuff. As stated at 20:42 In my own case I try to aim for at least 8 characters for stuff that needs physical access. For stuff on the internet going for 15+ characters is preferable. But most important thing to have a properly strong password for is one's email account. Since that is effectively the key to all one's other accounts. It is your single point of failure. And why I personally have spread my accounts across more than just 1 email account/service.
A previous employer had a system that I had to access once a month, it required a password change every 30 days. I never even bothered to try to remember my password, I simply used the reset password link every time I needed to log in. My current employer has a system that takes things to the next level. On your first login, you must change your password before logging out, however you are not allowed to change your password for a minimum of 24 hours. Auto log out is after approximately 1 hour regardless of activity. Which means the only way to get out of this loop is to call in a support ticket, however the only thing the first level support can do is reset you to the same as your first login, you then have to beg them to escalate it to second level support who can actually change the timeout for the password.
I've used systems that were designed like the first one on purpose. The train booking system my last employer used was set up that way. You would go to their website, enter your email address, and they would email you a URL that would log you in. No password at all, you proved your identity by having access to your company email inbox. Not a great idea over the open internet, but when those two companies have a direct and secure email bridge, it works very well.
@@HenryLoenwind The worst part about that first system was that if you chose the reset password link, it would ask you for your network login password, and use that to authenticate you to allow you to reset the password. As it obviously had a link between the systems, why couldn't it just use that password in the first place instead of forcing you to have a completely different password?
@@safaiaryu12 very much so, while we all know that maximum time between password change doesn't actually add any security, at least I can understand where the theory came from. But having a minimum time between password changes has never made any sense to me at all. So I know that someone has my password, but I can't change it yet, because I have to wait for the minimum time to elapse? Who's brainchild is that!
@@Green__one It's to prevent going back to using the same old password. First, rules changed to not allow you to reuse one of the past 10. So a huge number of users diligently changed their password 10 times in a row just to get back to the first one.
If your employer has terrible password policies like requiring changing it monthly, then you as an employee immediately have zero motivation to secure your account because clearly they don't give a damn about security either.
At one point in my IT career, I had to keep track of over 100 passwords that had to be changed every 90 days or so. It was a nightmare. My coworkers just wrote their passwords down on pieces of paper hidden in their desks, but all I wrote down is the system name followed by the number of times I changed that password. It was innocuous enough that the paper was taped to my desk in plain sight, but it was enough for me to quickly recall the password for each system. This was despite every system having its own unique 16+char password that met all the requirements. I started with an ordered list I knew well. It was the same ordered list for everything, and I never wrote it down. The number I wrote just told me which item on the list that system was on. I'd apply an algorithm to get the required combination of upper/lower/number/symbols and to incorporate the system name. Explained that way, it might sound complicated, but it was trivial. Easily simple enough to do in my head as I typed the password.
The real sadists are the companies that force you to change your passwords frequently, but have a "password too similar to previously used password" system
@@michaelbeaver8281 When you change your password, you are always required to also enter your previous password. At which point it is trivial to compare them for similarity, independent of how they are stored in the database.
@@michaelbeaver8281 when changing your password, you are required to give your old password to authenticate. Thus they have your old and new password in clear text at the same time without the need to store it.
My previous company required a password that was 12 chars long, upper, lower, numbers, special chars, no words etc. people just wrote their passwords on sticky notes and left them within a foot or two of the monitor. The company did a security audit and did a quick search of the office after hours one day and found something like 20 passwords stuck to the monitor of the computer, this included the MD and HR manager. My new job has 2 factor authentication via microsoft that calls your phone, fine in the US but I spent a few weeks overseas and it broke down because the system was prevented from doing international calls...
Let's hope the company is paying your phone bill. Any requirement that an employee use their personal device for authentication into business facilities should never be allowed unless the employees can opt in and are compensated.
@@catatonicbug7522it would be terrible system design to use employee personal devices! I’ve never seen this implemented where the employee wasn’t given a dedicated device, (or a very locked down phone) to host the two factor authentication application. If the system were to use employee personal phones then all the effort at security is for naught, the employee personal phone is the weak link in the system, plus supporting myriad different possible employee personal phones would be an IT department nightmare.
A simple prevention method for password cracking is to require a minimum time between attempts. While it doesn't fix anything, it does stop brute force attempts.
A timeout will not stop brute force attempts, because brute force attacks are not made at the login level. Instead, they happen offline on entire datasets, usually leaked or stolen hash tables.
It is worse than you mentioned. Perhaps a part 2 could air some of my frustrations. I had a 11 character password for a system I work with. It was old, so I went to change it to one with 16 characters. The system puked on this; it appeared to work but I could not log in. I did the "forgot my password" thing and found out that it was now only accepting passwords of 7 characters. So my 16 character password was cut down to the first 7 characters. I have not been able to convince the owner of the system to look into the security of the system. On another system, I went to change my password and it wold not work. It listed no rules for characters or length, but apparently my password had some characters that were not allowed. I had to find this out through trial and error.
The best option by far, since that also means no reusing passwords across services. One company's security failure then doesn't impact anything else. I just wish KeePass would recognize by default that every character category must be used, because that's how password rules work.
I think the biggest question is, why do we need passwords for certain things. Why do I need to put in a password to pay a bill? Please, for the love of God, hack my account and pay my bill for me.
What are you going to do instead? Go into a company's website, type in a 15 digit account number, your 16 digit credit card number, expiration date, CVV, and a dollar amount? For every bill? No, you are going to log into the website that has your payment information stored, with just a username and password.
privacy related to fiances, lets say your in debt but you dont want others to know. Well if someone had your details they could just check the balance to be paied. Alternativly depending on how the infomation is presented (account number ect) this infomation can then be taken and used in socal enginering attacks
I find using a phrase or sentence complete with punctuation can often meet standards whilst being lengthy but easy to remember. Just because it is called a passWORD doesn't mean it has to be a word.
I like to use the password generator to make my answers then store them in my password manager. If the site allows you to make your own questions, I do the same for those as well.
@@enceladusdarkhart7048 Are there still sites that let you make your own question? Yahoo used to do that in the 90s and I hacked several people's e-mail accounts because they put yes/no questions.
Recently I was setting up a security question and the "What was your first address" was one. I've lived in 9 houses in this small town. I moved from that place when I was 4/5. I do remember my second address. I am surprisingly good with phone numbers.
This is so true. My work is so bad for it. Once, I actually realized I had very similar passwords across multiple systems, and decided to make more of an effort when the computer told me to change one. It got rejected, rejected, rejected over and over, until finally I ended up sticking a 1 on the end of the old one, because the company system wouldn't accept a more different password, even when I specifically wrote it down on paper with all the changes, intending to change the password and then shred the page.
Yet another reason to use a password manager. They will recognize the authentic domain and not offer to enter the stored password in sites that don't match.
Still insane that the three credit agencies (which in no way do fiscal alchemy to come up with made up creditworthiness numbers) aren't more accountable for their breaches, nor the wrong information they have enshrined.
After a while of having to change passwords, I've changed up my passwords to include insulting the company it is used for. It makes remembering the different passwords WAAAAY easier. Oddly, they don't monitor profanity use for passwords...
That's actually an oldschool security measure. If you set a password to something that nobody dare say out loud, that makes it less likely to get shared with anyone else.
When riding the security helldesk some 13-14 years ago, I had some really dense customer. Kept insisting the password I sent him didn't work. The system was designed to keep the new password from me, so I could not help him in this regard. But the script involves running pwgen, setting the password, sending out the email with the temporary password and the user logging in and immediately having to change one's password. After 4 more tickets over the course of 90 minutes and a phone call which became increasingly uncomfortable, in which I read him the documentation and explained it to him as calmly as I could. I then repeated the steps in the script and manually changed his password to "1'm@niD10t!" (without the quotes). Funnily I was never reprimanded by my manager for that and the user seems to have learned his lesson, because I never saw a ticket from him again.
Best way to actually make your account more secure: Use two factor authentication whenever possible. Then the security of your password does not matter that much any more. (pls back up the codes so you don't get locked out in case you lose your phone)
Two factor authentication is stupid. If I log into an account with 2FA at my computer, it sends a code to my phone. Okay - but if I log into that account with my phone, it sends a code to ... my phone. If someone knows my login info, they can take my phone and get into my account.
@@RB-bd5tz but they need to get (into) your phone. Some random hacker that bought a password list on the darknet will have a hard time to do so (and that is probably a more widespread threat, except if you tend to share your login credentials)
Bottom line is that a password authentication can only get you so far, no matter what requirements you put on them, or how much you try to train people in chosing passwords. Multi-factor authentication is the only way to significantly increase the strength of user logins.
@@poeterritory It doesn't happen to most people because today there isn't enough financial incentive to do so (today). But if someone is determined enough, it is completely possible to make it happen and isn't that hard. There are a few different ways. The most common is to call the cell phone carrier and claim to have lost the phone and issue a replacement SIM card or phone. Customer service reps at most cell phone carriers are typically not that difficult to socially engineer into allowing access to someone else's account. The other common way is to intercept the messages in transit over the air. (1) The encryption used for SMS text messages is ancient (1980s technology) and very poor, and (2) there are numerous devices out there which insert themselves as a "man in the middle" between cell phone carrier and cell phone, allowing the person with the device to see (and hear) anything they want. (Do an internet search for "stingray.") The bottom line is that SMS text messages are NOT secure and shouldn't be trusted.
As an aside to this video and Simon may have covered this too - he's done so many, so who knows - but there was a data breach about 10 years back on a particular bank's PIN numbers for their bank cards. It found that over 20% of cards had one of 3 PIN combos. Now maybe that bank's customers were all somehow dumber and more predictable than average, but if not... If you get 3 goes before the machine swallows the card, that means 1 in 5 of those stolen cards could be used without tripping any alarms by simply trying these 3 combos and walking away to steal another if it doesn't work. What were those 3? Look it up yourself, I'm not going to do all the work for you. Or to quote Spaceballs, "12345? That's the number an idiot has on his luggage!"
"By the way, the most common four-digit PINs according to the study are: 1234, 0000, 2580, 1111 and 5555 (scroll down for a longer list) - 2580 is there because it is a vertical column on a numeric keypad"
That's the ones, yes. Guess you remember the same study. The key takeaway from both the video and that data breach is, to quote Minority Report, "the flaw is always human". When security only looks at what should be safe and scure from a technical angle and not include a people angle, they open themselves up to failure.
All your passwords securely stored in one place like, you know, all your eggs in one basket. Then *when* they get hacked and don't notice for 5 months...
Yeah, no security measure is 100% safe, but having a unique password for every site you use and keeping those in an encrypted vault is still better than trying to remember them all some other way. 2FA mitigates most of the downsides of a breach. If it is that important to you, you can run your own Bitwarden server and manage the security yourself.
When I first started in IT, one of the most pertinent things I learned was, if a human made it a human can break it. There is no perfect way for us to have passwords and be completely safe.
Back in the day, I used "borrowed" passwords to gain more machine time. Berkeley required them to be on punch tape in unprintable characters. You read the tape into the machine first, then could use your account. People regularly threw away the tapes in the small trash can in the room. University of Maryland required a punched card be buried somewhere in your program deck. When people were done, they threw the deck in the trash. I found a couple of decks from the teachers and teacher aids. Those passwords let you create new accounts, sign on from another terminal, then delete the account from the first terminal. This way, no student account was being charged computer time, since the account didn't officially exist. San Mateo college (San Francisco, calif. area) didn't have passwords. MIT didn't have pre-assigned passwords, but you could only access the computer if you knew it's arpanet phone number (or were on campus). Of the ones I tried, only Stanford defeated me.
Here's my tip for those password reset questions. When it askes something like what's your favorite colour? respond with something completely different for example, Dodge Journey. Why, because it was your first car. you just then have to remember this, I suggest recording the hints somewhere safe (as in not in a notebook right next to your pc)
Most non-English, French or Spanish speakers as first language can survive a bit easier because most systems weren't built for them. I can use the simplest word in my language, sprinkle in some numbers, and most systems would say "strong password", which honestly is bs.
Worst offender I've yet to "have pleasure use" was technical university's STUDENT accounts: 16 marks long with caps, numbers and special characters, no dates or parts of user's name (the site checked&blocked). Add 90 day change cycle that required completely new password each time (again checked&compared to last 3 passwords). Worst part of the mess is that the password is needed to attend tests that you can't take any electronics or papers in with you... so good luck remembering 16 mark random string to log into the system. At least the uni is pushing for passphrases instead of passwords but still remembering where the caps and special characters were...
@@macethorns1168If they implemented it correctly, they don't need to store the currently valid password...but only the old ones (which isn't much better, tbh). The checker software can get the current one from the user input.
@@HenryLoenwind They don't have to store the previous passwords in plaintext either. Just because it's no longer your current password doesn't mean comparing password hashes suddenly fails. Checking for trivial changes is also easy, since the trivial changes can be done in reverse on the newly entered password, and then the result being hash-compared with an old password.
My dentist gives me a new tooth brush every time I get my teeth cleaned. But I don't see hackers lining up to brush my teeth!!! Maybe it's different with computers tho. :)
Unless you're on that mainframe and have very fast transfer rate, you can't put in 350,000,000,000 password per second therefore there there should be a small delay, 2 seconds. No matter how fast you can guest the password, it still be a 2 seconds delay. So a 6 length password using 89 different charters would take 47277 years at most to guest someone password right if done right. If you allow 350,000,000,000 password per second to be check then that the big problem.
Many login systems use a deliberate delay between attempts to do just that. They also use things like max retries before account lockout. However, these measures only prevent brute-forcing on the live system. If the attacker ever gets their hands on the password hash they are only limited by computing power in how many attempts per second they can make. That is the essence of password cracking.
@@drumguy1384 They should limit all try to 2 seconds delay between try no matter what because it would slow all down. 2 passwords per seconds is 1 password per second too many. You need to prevent a computer from guessing 350 billion passwords per second and thinking everything ok. You known that many tries would consume a huge amount of bandwidth that you need a terabit internet connection to do this
Gotta love it when you're told to create a password, so you do - and then get a screen telling you (*edit: screaming at you in red text) that your chosen password doesn't fulfill some requirements that they didn't tell you about in the first place. I've seen very few account setup screens that actually give you the rules up front.
Most annoying password requirement is from the surprising number of places that impose a MAXIMUM length. Immediately tells you that they don't know anything about storing your data securely.
All this in part: Is why I use an offline password manager(randomly generated/unique passwords) with TOTP and/or a hardware key for 2FA whenever possible... A few years back - I practically had all my passwords within google chrome leaked from some malware... needless to say, I have been extremely paranoid about security since 😂
@@davidioanhedges That's a lot better than knowing them all because that probably means you know 1-3 passwords and reuse them. Forgetting the password for the password manager is also not something that happens because you need that password every time you want to access your stored passwords.
@@davidioanhedges As the other commenter said, *much much easier* to remember one password secure enough to outlive the universe in terms of brute force attempts...than trying to remember 3+ passwords at a time for each different service, that are nowhere near as secure...that you will also have to change practically every week with each new breach and in turn update every other service that used that same password...and incase you try to suggest storing on paper...that sounds super slow/inconvenient and could go horribly any time incase it was to be lost, stolen or somehow destroyed....lol Everyone should be using a password manager in 2023 tbh, there is just no other practical compromises while also wanting to stay very secure...
Preach it, Brother!! I have been saying all of this for over a decade, but more people think I am a crazy person. I mean... they are not wrong, but I am also correct...
I know this isn't a perfect solution, but at our company we used a setting in our MFA software to require the OTP provided by the MFA app before the password for locations deemed dangerous (Russia, North Korea, etc.). This one change stopped most of the brute-force attempts (and subsequent password lockouts) instantly. At least until the explosion of VPN software allowed those hackers to start appearing to come from the US. Our next step will probably be to make that the default setting instead of password before OTP.
"So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!"
I'm glad that I've never used "password" for a password (I'm not bragging, I'm legit just happy). I've found that a good system for me is I'll let my web browser generate a password and save it for sites that will have a limited effect on me if they're hacked. For logins like my email, I'll use a random password generator and write it down in a notebook and not save it on the browser. It is a little annoying when I'm asked to login again and I'm not in front of my computer but it's an inconvenience I can live with. A friend of mine goes one step further. Their passwords are just strings of letters and numbers that are then put into a word document filled with random numbers and letters. So unless you know what you're looking for, the whole thing just looks like gibberish.
I have opposed the pre 2017 NIST password recommendations of complexity and frequent changes for more than 20 years, and was quite vocal about why. So much so that when the first draft of the changed recommendations was released in 2017, a former coworker immediately forwarded it to me with a note along the lines of “the NIST is finally catching up with you”.
Some people who I used to work with at the Motor vehicle training center. You know, they're not dumb, but Computers aren't the sort of thing they have a skill set for, particularly for the ones close to retirement age. Person 1. He literally used a marker to write on his desk, a number. What was that number? Well, say the number was 68, that meant his password was "Sixty8". The reason why he did that, is because he had to change his password every 3 months, so in 3 months his password would become "Sixty9". Person 2. He refused to even touch the computer, but with the modern work systems, he had to log in to check for important emails, or even do training on the computer. So, not only did he just tell everyone in the office his password, but he'd periodically ask them to log on as him to check his email, and training was typically somebody else logged onto a computer, with him sitting next to that person, saying the answers to the training questions.
As an IT specialist I have seen the battle wage between administration and users over the years and they always avoid the root of the problem. That the administration wants users restricted from having access to the information that users need to do there job effectively because they don't think they need that information because if the business processes work correctly the users don't need that access. Problem is the business processes almost never work as intended. Add in the fact that users are usually not computer expects and don't know what they need one the network, and the IT staff not knowing how to do the users' jobs also don't know what access is needed. This just complicates the problems and frustration.
Social media posts that say things like, "Bet no one remembers their 5th grade teacher." Then 1.2k people respond with their teacher's name, half of which take the time to reminisce on the good old days of childhood.
My 3rd grade teacher is my neighbor behind me. My current neighbors to my left are the parents of the woman who was my neighbor to the right of my old house. Oh, and my current neighbor's brother wanted to buy our house 2 houses ago. Small towns are weird.
One of my favorite computer password experiences was when the system asked me for my (security question) father’s middle name. I confidently typed it in only to be told that I was wrong. So I thought maybe I had capitalized the first letter, so I confidently typed it capitalizing the first letter…and was again told I was wrong. I ended up having to redo my entire password and (definitely) selecting a different security question.
Funnily I have my own paranoid method for those security questions as putting something no obvious in there that makes sense to me, but is totally unrelated to the question.
I'm very tech orientated, but I'd been using the same password for 25 years 🤦🏻♂️, up until last month when I finally had an important account comprised. I now run my own password manager on my own internal server.
In the first job I had that required cycling of passwords (it remembered the previous 12 passwords), I simply wrote a script that would change my password through thirteen other passwords, then back to the original one.
Diceware - 5 million-word lists, randomly select one from each list - say by throwing a million-sided dice - The words returns are highly likely not to be related in any way.
My school says you can’t reuse any of your last 5 passwords, one of my old jobs said you couldn’t reuse any of your last 10 passwords, my current job NEVER lets you reuse a password. They all require you to change your password every 90 days.
Best password: Write down your best rant including all the curse words. Write down the second letter of each word. Change some letters to numbers and capitalize in the correct place. Use a random character to replace all the punctuation. You’ll never forget it.
Thank you so much for this video. I work for a public utility that employs about 14,000 people, most of whom work in an office. Some work in the main office while others work in one of the 43 other offices in California. It goes without saying that the IT department has their hands full keeping the network secure. For those of us that don't work in an office, we work in the field with very little need for a computer, yet we are held to the same Nazi rules as office employees. I work alone as a truck mechanic in one of their remote garages. I use the computer to input my time and the information on whatever piece of equipment that I repair. I have zero access to any company records, grid information, or anything else. A hacker would die of boredom if he got into my computer. Still, I am required to change my lengthy password every 90 days, and am logged out after 2 minutes of no activity. Its absurd! Not only that, my company issued cell phone that has no apps other than what came with the phone has to have the six digit unlock code changed every 90 days. Again, why? Someone may unlock it and make calls if they steal it? There is no information on the phone. I was better off with the flip phone they gave me years ago.
I'm just thrilled Mr Whistler quoted Castor & either he or his writer is a Legacy fan. That's made my day but then we're hardcore TRON fans in this house.
Amazon makes employees create a password that has at least 8 characters, one upper case, lower case, special symbol, and number. It also CANNOT contain ANY dictionary words, at least correctly spelled.
Regarding the security questions, I recall one time in my life that I was applying for (I forget) something online. Possibly a bank loan. Anyway, in order for the system to verify my identity, it apparently scraped my records and had me take a questionnaire about myself, including which was the first model of car I owned, etc. When I saw that it already knew the answer and just needed me to pick the right one, it made me question the strength of those password security questions that ask me the same thing if someone else could scrape my historical records, too. Apparently, the only smart thing to do with the security questions is to lie on them but then you have to remember the lies.
email yourself the lies. GMail, hotmail and quite a few others are encrypted and better defended than the password database of whatever stupid site is asking you silly security questions.
Not requiring passwords is still the best approach. The user should not need to remember more than one single password, and that's the one of the password manager. All other passwords should be retrieved automatically from this password manager. Also, the password manager should if possible automatically decrypt with your user password when you log into the PC, which makes it more convenient and causes people to actually use it. Then, when you actually need confirmation that the correct user is asking for something just require a fingerprint or pin.
The best passwords are long memorable phrases. No tricks or gimmicks, just lots of characters arranged in a way that makes sense to you. As soon as you get over four words, the number of possibilities explode beyond all reason and most people have unique passwords. Incorporate the name of the site into your password somehow and you get around the reusing issue as well. IF you use usb-keys, store those recovery codes. It is not a joke when they say if you lose your usb-key and don't have those codes, you won't be able to get back in to your account.
I absolutely need to write down my passwords for everything. I cannot remember all of my passwords. Indeed over 80% of my passwords are exactly the same.
2 of the schools I work with had an IT security audit THIS YEAR, and the auditors still wanted them to force staff to change passwords every 30 days. Absolute facepalm.
This aligns with the password policy I set, while I had IT responsibilities. - No scheduled change - only require minimum length Then new owners came, and users started complaining, and then making easy to remember algoritms to remember their new password or just using a post-it.
You make a good point, but don't necessarily go far enough. Using reliable biometrics, combined with a machine-derived passkey pair, you can absolutely limit access and improve everything and you go beyond passwords altogether. Passwords are the past overall; we already have better. It's time for all of that existing infrastructure to begin using truly unique, unbreakable access methods.
@@theghost9667 Likely the way things like that are always done, either by carrot or stick. The carrot being some sort of government incentive for including these very inexpensive sensors; the stick being threat of banning, either outright or through government acquisition blocking, which kills things far quicker than any legislation. It could even be cast as a bill in Congress to incentivize or ban...it's happened frequently in computing since the beginning. The same way cars are mandated, in other words.
this doesn't and can not work for one simple ass reason: it would involve you needing to be able to trust random internet services with god know which ulterior motives and garbage security with your biometric data. also biometric data scanners suck ass anyway, i'm faster typing in my unlock number than trying to unlock my phone with the finger scanner.
Simon, you are a gem. I've been hating having to change my passwords every so days because it makes no sense! "another one to remember? I'll be running out of ideais soon, I have to start writing them down". I am opening up this discussion at my company and now I have some studies, thanks to this video, to back up my claim! Viva la anitpasswordution!
On a side note, you shouldn't keep your keys at the same place like a key ring or a purse because someone finding your car keys would also have your house keys. And of course, avoid windows on your house because they are a security weakness.
In modern times we use encryption to protect our sensitive data. Encryption with increasing sizes of keys because a weak (too short) key can be brute forced or otherwise exploited to get at the data. So for a 64 bit key (which is super weak today) you already have 18,446,744,073,709,551,616 combinations to choose from. Yet is easily broken by a strong computer. 64 bits is just 8 bytes. Or 8 characters in your password if you will. And you have 256 different characters to choose from (including null and the special characters like line feed, carriage return, beep and backspace etc... That is to say that if your password is weaker than the encryption you are using then they aren't going to break your encryption first, they are going to break your password no matter how random it is. We are up to the point of using encryption that is 256 bits. That is corresponding to a password of random characters chosen from 256 available of length 32. So unless your password is 32 characters long and entirely random, your security is only as strong as your password. As has already been explained though, remembering 32 random bytes... yes, bytes. Not letters and numbers and symbols but actual bytes... is damn near impossible for humans. The best bet for being able to remember that would be to memorize this: 31415926535897932384626433832795 which is the first 32 digits of pi. Of course that would be on a list of common passwords so don't use that! Which brings me to said list of common passwords. Even if your password is 32 letters or digits. Chances are that those letters and digits are already on a list of known passwords because you have to be able to remember it and as such you are likely using a combination of letters and numbers that is likely for a human to remember and so it exists in a database somewhere. The best password is one only you can remember. But how do you know that? You of course become a hacker and collect all the password breaking tools known to mankind to continually break your own "random" passwords until you find a password that you can't use said tools to break in a given time frame. Of course you would still have to develop a pattern for how to remember the password, lest your efforts of creating the password becomes moot and so you'd do better to just get a USB key. Now, since we are still human. At least you can use a password that you can remember that is LESS likely to be in a database. And those are completely new words. New words that have no known words inside of them, lest they be found by stringing two or more known words together by the password cracker. Say you want to use "Correct Battery Horse Staple" as a password... You should now invent a new way of saying that. So it could be "Cawregt Bortery Haws Stalpe" which would likely be a much stronger password and all you have to remember is how you chose to incorrectly spell those words. And another option could be to use very uncommon words from other languages if you know them (because English is the number one language targeted in known password databases) such as "Ölkagge" (Beer Belly) and reverse the word so the password would be "eggaklö". Stronger than choosing a known word and adding/replacing letters with symbols and capitalizations. Of course you'd also want something longer than that since it's only 7 letters. Funny thing is, the latter example with the letter ö in it is likely not going to work because the platform you are using to choose a password on will RESTRICT you from using anything but letters, numbers and common symbols. Even blank spaces are prohibited... THAT is a major flaw as a password is meant to use all available variations of characters the same way cipher keys are. But it's worth a try. So know or learn a different language and use a word with more than 8 letters from said language in reverse and you are instantly in the top 1% of hardest to break passwords.
The company I work for finally went from a minimum of 8 characters with standard mix, changed every 90 days to 14 characters with standard mix and never changed.
Beyond annoyance of it all, as someone with a B.S. and M.S. in Computer science this password thing has driven me crazy forever. So when having to needlessly complicatedly change my password like every time I login to my company's accounting firm web portal, which requires changing password every 90 days... Even though a service I only have to login to about twice a year 🙃... You can see the frustration. Many state and federal business related portals are the same. And similarly rarely need accessed. And similarly don't let you use a previously used password and must be VERY different from any of those... And super complex to humans but not to machines. So it's every freaking time. So I did some taxes a few weeks back, and then immediately wrote this. 😋 I hope the subtle rage comes through. 😋 -Daven
@@TodayIFoundOut We all share your pain. Typically the accounts with the worst consequences if compromised, such as bank accounts and e-mails, have the least restrictions. If it's something that I'd hardly even notice if someone hacked it, such as my F1TV account where the worst they could do is cancel my service, you can bet it's going to have rotating passwords, a minimum length of 37 characters, every punctuation mark and special symbols including F-keys must be used, etc.
I'd say there's 2 or 3 levels of password security requirements. 1. Banking and government services (tax, health, etc.) 2. (possibly 1) Work account, email account. 3. Everything else. Shopping, TH-cam, Netflix, etc. etc. 1/2 must be extremely secure. 2 factor at least. 3 shouldn't use passwords *at all*. You log in by proving you have access to the email-address or use an authenticator app or something like that. Anything involving payment should be protected by 3D-secure or similar.
Password managers mean you don't know any of your passwords, and if you lose access to it you have lost everything ... ..another ridiculous solution Meanwhile if the people that are going to try and steal your password will never be physically present ... writing it down is much more secure
So you store a written copy of your master password somewhere safe. Problem solved. Avoiding password managers makes you so much more secure in every way that it's laughable that anyone dismiss them outright. The added security added by having a password manager is such that they should almost be mandatory if someone is going to be on the Internet. Any password that you can remember is any abysmal password. Anyone in computer security will tell you that.
@@djp_videoA password manager is a massive target, any flaw however minor *will* be exploited, the companies who run them regularly get hacked, according to them they haven't leaked passwords ... but ...
Throttling login attempts/freezing does more than complex passwords. You can only brute force if database leaks. And that's a different kind of security problem.
Unfortunately there are enough recent data breaches to build up quite a large amount of training data. Time outs are good for low level brute force attacks. That being said It is very possible to cycle through different proxies(varying gateway between you and the connection to the internet) to make the attacker appear to be logging in from different locations. The program brute forcing can take all these and more into consideration to avoid triggering a lockout or freezing of attempts to login
For the sake of defense in depth, you still want to have a good password. However, most people's idea of what makes a password "good" is terrible. The absolute best thing you can do to make a password better, is to make it longer, and if you need to reduce the character set to only lowercase letters (and maybe spaces or hyphens to separate words) and make it out of dictionary words so you can remember it, adding an extra couple of words onto the end is more than enough to compensate and net you a higher overall complexity. Honestly, just use a sentence. The exception is for that one password you have to type several times an hour, which is going to end up in muscle memory; for that one, you can save time typing it by making it shorter, and it's worth avoiding dictionary words and using a mix of types of characters in order to accomplish that because anything you use that often is going to pretty much memorize itself. But this is the exception rather than the rule. Most of your passwords should be longer and easier to remember.
Secure your business effortlessly with a 3-month NordPass trial! Use "todayifoundout’' activation code at nordpass.com/todayifoundout. Limited time offer!
I actually use NordPass, that I got from a discount provided by a blocke called Simon Whistler (Never heard of the guy or even saw anything from him), for almost a year and I have it on almost all my devices ( except work computers, because things...), they even have an app for Linux that works...
My main issues so far seem to be that it doesn't seem to support changing the icon of an entry, with for example the website favicon, have custom fields, for things like recovery codes, in case I pair them with 2FA...
Here is an example of a real password: Hd3qgW!eB6t2sjh#$7hsX for less secure passwords. Add an additional 5 characters for financial passwords. Then memorize it. It takes a day or two to get it down, but it's a tried and true method. Totally at random. Also use two or three factor authentication if available. And you should only use systems that allow only 3 tries before a 24 lockout and IP dark listing for sources that fail more than 1 day in a row. And account lockout as well requiring a phone call and trouble ticket to resolve.
Also, my mother's maiden name is l#7r4g36trsUEr67w@.....
If you want to go crazy, just get a raspberry PI and add a keyboard for it with an extra USB port to send keystrokes to your PC (Windows will let you add many keyboards if you like). Then you just press a key on your password keyboard for the password you want. Build it yourself. It's a nice weekend project. Don't connect it to the network. lol And that's a non-secure keyboard. But no less secure than using your actual keyboard.
You could get extra crazy and create a secure keyboard driver for Windows to ensure the USB keyboard inputs from your PI are encrypted and use secure strings in your code so keyboard capture is ineffective. But that's extra work. Probably overkill. Just don't use P@ssword1. lol There are many rabbit holes to writing your own encryption code, so it can be easy to overexpose yourself to hackers. Creating code from scratch and avoiding open source code is a great way to make systems with no external information about how they work. Very secure unless you happen to think up a new way that happens to be the way everyone else is actually doing it. Best to do some research first. And if you are really paranoid, don't use a PI but your own PCB and UART. But that's entirely for different reasons.
Also note that the windows message chain (while supposedly is secure) can be hacked so that even if you securely transfer keystroke characters to the message chain, once it gets there, it can be fairly easy to decipher your keystrokes. Just don't go to strange sites and click on everything you see and keep your windows defender up to date.
[UK] A bank where I worked decided there were too many internal forgotten password incidents and asked me to investigate. My findings: the average user had to remember 19 passwords just for normal office work, and change them every month. The number of reset requests averaged 1 per year per user or 1 / (19 * 12) = 1/228 passwords, each of which had all the silly mixed-case, numbers and 'special characters' mixed in. My recommendation - stop making people change their passwords so often and create a single log-in instead of per application. Their actions - not asking me for recommendations any more.
In 2004 my team got an industry award for our design of a single sign-on system we had implemented whereby all users (over 20k at the time) of all systems (around 16 different systems at the time) used a single ID and password to access all systems. Privileged accounts, for example, superuser/sysadmin accounts, were not part of it, and passwords were stored in a one-way hash. I left in 2005 so I don’t know if they are still using it or not, but while I was there it worked very well, no security breaches, and users loved it.
Sorry ,but corporate mindsets and logic don't walk the same path. Bravo and Cheers for both of your efforts!
My small regional bank and small business employer agree with you.
Passwords are only reset after a confirmed breech, character requirements are based on length, and SSO is enabled.
There are few password reset requests as a result & people make better passwords.
I worked for a company that had a single login program that automatically logged you in your all the company password protected items. It was really nice.
My workplace eventually got single-sign-in working, mostly, still a few non-compliant systems, unfortunately. However, if you aren't using any of those systems for more than 20m then you are logged out and you need to log in again. So login, get some info, work with that info, go get some more info, re-login, repeat all f'g day long. It's gotten to the point that I don't read most company postings because it's never important enough for me to waste time logging in.
One problem with constantly changing passwords that you didn’t mention is that it makes people more likely to write their passwords down on something that is close to the computer. You would be surprised how many passwords you can harvest just by lifting up people’s keyboards at their work.
And thanks to the $ signs and the number 1 at the end, you can't miss what it means.
Unless the answer is "all of them" I will not be surprised.
At least it isn't as bad as the Hawaii emergency broadcast people, who had it on a post it note on the monitor, when they got a picture taken that was shared across the country.....
While that is a problem... it is a much smaller problem than being remotely exploitable from Russia or whatever. Russian hackers cannot lift up the keyboard.
You're doing God's work with this video, Simon. Our industry has been railing against this nonsense for at least a decade and a half, yet processes continue to try and reinforce it.
I once had a corporate customer perform a security audit on my application and they came back complaining that we were "not following NIST standards which require passwords to be reset on a regular basis." I sent them back a correction that, "NIST 2016 supersedes such recommendations with the updated recommendation to not change a password unless a password is breached." I then linked them to the NIST 2016 recommendations.
Presumably this customer was sufficiently cowed by my response as they immediately shut up and succeeded our audit.
I so want to send this video to my company's IT dept. They recently changed it so we could not reuse passwords on our main system and so now everyone I know at work simply uses the same password they already were with an increasing number at the end. All they did was make our lives more difficult. Not secure the system any further. Especially not if one knows the timeframe when the change was implemented and the frequency with which we already had to change our passwords.
@@tyrannicpuppywhat you should send them is the NIST 2016 recommendations and ask why they're going out of their way to reduce security within the company.
While I'm entirely on your side here, do keep in mind that in some industries there are regulations that require outdated password policies. Like banking, for example.
@@JesseBayneI could be wrong, but I'm pretty sure the regulations point to industry standards as the thing that must be adhered to. For example, US Bank has an article on their website from July 05, 2023 that discusses the importance of adhering to the latest NIST standards.
The worst systems I have seen were ones where, if you guessed wrong too many times, would lock your account and require a password change. So you could have a great password that was doing its job, but, since it was actually keeping an attacker out, you'd be rewarded by having your account locked and then need to choose a different password. Brilliant!
My last job required a separate password for a website we used to log in absences, something you typically do every month or few months, but in general not something you log into daily or weekly. The password you set there would only be valid for 30 days, but also the system would require you to change your password if it was to expire in 30 days or less, so any password made there would only be valid for 1 login. After that your password was useless and you would have to enter a wrong password 3 times so that the system would send you a new temporary password, that you would then have to change for a new password that would also only work one time. It was easily the worst system I've ever seen.
@@OhMeGaGSThat's... impressively bad.
Why don't they lock out on a per hardware basis
I mean, hackers usually try passwords on their own machines, not yours
@@OhMeGaGS My husband's job used to have a similar system (not the same numbers but functionally the same thing) for stuff you needed to do every few months at most, with the added bonus of having to call IT support for a new temp password instead of entering a wrong one. 🤗
Because... they are limiting the attempts to just 3 or 5 which stops the brute force method. If all that happened was an unlock, then they could continue trying to guess. There's better ways, but it's not illogical.
I've spent much of the last 25 years studying and working full time in password security. I have a postgraduate degree in security and have presented my password security research at Defcon. I definitely approve of this video. This video is mostly right on.
To make a strong password you can type and remember, choose three random words like "Box,Lance,Flat". If you're required to change it - don't. ADD a word. By ADDING a word to the old password, you don't have to remember much new.
An old teacher of mine explained something similar to us back when I was in highschool. His suggestion was also to pick three random words, but he stressed that they should be relatively long and we should focus on making them something we thought was funny. Not a phrase or quote, just amusing (his example has stuck with me for over a decade: "Purplemonkeygrapefruit"). Then we should intentionally mis-spell one word in a random way that we could remember.
Great in theory, but many systems have requirements that include a maximum number of characters, typically 16 but at least one I deal with has a maximum allowed password length of 12 characters, so when adding words they have to be very short, and that also becomes unwieldy over time, for example one federal government system I have an account on requires a password change every six months, I’ve been using it since 2003, so using your technique my password would be over 40 words long.
I've had passwords reject me on the basis of password history when I try to make it too similar. Infuriating!
@@Interrobang212
Yeah that's super annoying - and mostly proves that they are storing all the passwords themselves for hackers to get, rather than storing a derived value like they are supposed to.
@@jpe1 If you encounter a system that has a maximum length for a password, walk away. They're doing it so wrong, you just shouldn't trust them with anything.
I’ve always felt companies completely locking a person out after three mistakes was dumb, but adding time after each wrong guess, up to a day or so, is smart. A computer can guess a billion passwords a minute, but if the server only accepts one login attempt per minute, it will still take forever to crack a randomly generated password.
Passwords are almost never stolen that way. They get a hold of the PW database, which is encrypted, and run the guesswork on a copy of that database which takes any security gain from limiting number of PW entries useless. Brute force is made useless on website logins simply by delaying returning to the password entry screen. Someone getting your passwords but not knowing which website you use them on is the only scenario that limiting it to 3 mistakes would have effect on.
@@markc2643not anymore. Brute forcing was an approach used in the past, so limiting the attempts made sense. But you're absolutely right. These days attackers don't really care about your password as they generally look for security holes they can use as a backdoor to all the really juicy info.
@@markc2643 And yet somehow a 4 digit pin has protected my entire net worth for decades. So just saying that people "get hold of the PW database" which people always want to say should be followed up with "why the F is that happening?!" Banks have figured out how not to leak that sh**. Why can't everyone else?
There was a joke memo many years ago that listed a long list of rules for passwords that you could use. At the end of the memo, it stated that the math department has proven that there are only 7 passwords that meet all these requirements and users should see their supervisor to obtain one of those.
Reminds me of the password game
press doubt
I've known about this for a while, and sharing this with people in the corporate setting is one of my favorite thing to do, because it always has the same reaction
1. No that can't be right
2. oh... wow... really interesting
3. well anyway we're not gonna change anything cause that's how we do it
Richard Stallman is a big advocate for openness in computing, he formed the Free Software Foundation which promotes software that has it's source code available for anyone to read and reuse.
Well back in the 80s one day he way in a discussion forum and announced that he was such an advocate of openness that his account didn't even have a password. A few minutes later someone responded "it does now".
I love how passionate this specific TIFO video is. I feel it too.
Oh, the rage with which this was written. 😋 -Daven
@@TodayIFoundOut We feel your pain and add our own in full measure. Keep swinging soldier! ✌
Only password requirement: Password must contain a minimum of 16 characters.
Humans: passwordpassword
Must include numbers, symbols, uppercase and lower case letters and not include words.
@@wellesradioStickynote on the monitor.
@@wellesradioYou mean like DrowssapDrowssap1?
@jasonk1540 We had to use Bitlocker at work and that required an 8 digit number, we all chose a repeated 4 digit number.
The requirement for many is 16 characters with a mix of upper and lower case characters, numbers and additional extra characters. That type of mix is extremely hard to break.
My employer requires us to use passwords and logins for everything (at one point they f'd up so bad that we had to log our password while changing pages in programs it was awful) despite some 98% of our work having no need to be password protected. I'd argue the only thing that does would be our personal finances.
So from there, they make us change our password every 2 months. That means not a single one of us have good passwords. There's no excuse for it, either, because we have biometric scanner access, they just shut it down because they think our 💩 passwords are "more secure."
Yeah, I hate that - I have worked in market research and at one company I would get sent a ton of data, already fully anonymised, with the typical consumer questions all scaled 0-10, with 2 free text boxes. Like somehow "What did you think of the service, 0-10" or "Will you recommend us to your friends and family?" Like this data is private or has any great value.
I just kept all the passwords on my desktop in a notepad file. Saved hours working there.
I think that some people think that giving a file with a password with it somehow makes them feel like they are smart. It's just a pain in the bum.
My non-profit requires that we change our passwords every 3 months . Even worse, our remote clock in app requires us to get a passphrase via phone or text every 5 days. This is great if you are trying to clock in to work 💩💩💩
Private businesses should not be allowed to collect their employees biometric information. Ever.
@@MonCappyI disagree, but I think employees can compromise by opting out by having to use an in-house password manager, being assigned a long, complex password and being tested to ensure they memorize it.
@@MonCappywhat makes you think they are collecting the data?
You've combined the power of fun intros and Simon's ability to rant.
Do it again and never ever stop!
Meanwhile a major retailer in Sweden requires a 4 digit password for accounts on their website. And with some additional restrictions like forbidding consecutive increments/decraments, ie 1235 isn't valid.
But strictly speaking, passwords benefit from length, far less so from special characters, or numbers, or other stuff. As stated at 20:42
In my own case I try to aim for at least 8 characters for stuff that needs physical access.
For stuff on the internet going for 15+ characters is preferable.
But most important thing to have a properly strong password for is one's email account. Since that is effectively the key to all one's other accounts. It is your single point of failure. And why I personally have spread my accounts across more than just 1 email account/service.
The one I love is a 4 digit PIN for a debit/credit card... Simply press "Cancel" to run it as credit *without* the PIN.
WTF is that? 🤦♂️
A previous employer had a system that I had to access once a month, it required a password change every 30 days. I never even bothered to try to remember my password, I simply used the reset password link every time I needed to log in.
My current employer has a system that takes things to the next level. On your first login, you must change your password before logging out, however you are not allowed to change your password for a minimum of 24 hours. Auto log out is after approximately 1 hour regardless of activity. Which means the only way to get out of this loop is to call in a support ticket, however the only thing the first level support can do is reset you to the same as your first login, you then have to beg them to escalate it to second level support who can actually change the timeout for the password.
That hurts my brain.
I've used systems that were designed like the first one on purpose. The train booking system my last employer used was set up that way. You would go to their website, enter your email address, and they would email you a URL that would log you in. No password at all, you proved your identity by having access to your company email inbox. Not a great idea over the open internet, but when those two companies have a direct and secure email bridge, it works very well.
@@HenryLoenwind The worst part about that first system was that if you chose the reset password link, it would ask you for your network login password, and use that to authenticate you to allow you to reset the password. As it obviously had a link between the systems, why couldn't it just use that password in the first place instead of forcing you to have a completely different password?
@@safaiaryu12 very much so, while we all know that maximum time between password change doesn't actually add any security, at least I can understand where the theory came from. But having a minimum time between password changes has never made any sense to me at all. So I know that someone has my password, but I can't change it yet, because I have to wait for the minimum time to elapse? Who's brainchild is that!
@@Green__one It's to prevent going back to using the same old password. First, rules changed to not allow you to reuse one of the past 10. So a huge number of users diligently changed their password 10 times in a row just to get back to the first one.
If your employer has terrible password policies like requiring changing it monthly, then you as an employee immediately have zero motivation to secure your account because clearly they don't give a damn about security either.
At one point in my IT career, I had to keep track of over 100 passwords that had to be changed every 90 days or so. It was a nightmare. My coworkers just wrote their passwords down on pieces of paper hidden in their desks, but all I wrote down is the system name followed by the number of times I changed that password. It was innocuous enough that the paper was taped to my desk in plain sight, but it was enough for me to quickly recall the password for each system. This was despite every system having its own unique 16+char password that met all the requirements.
I started with an ordered list I knew well. It was the same ordered list for everything, and I never wrote it down. The number I wrote just told me which item on the list that system was on. I'd apply an algorithm to get the required combination of upper/lower/number/symbols and to incorporate the system name. Explained that way, it might sound complicated, but it was trivial. Easily simple enough to do in my head as I typed the password.
I like it. Record the cipher in plain sight and keep the language in your head. Pretty clever approach.
The next question is, where do you work? lol /s
The real sadists are the companies that force you to change your passwords frequently, but have a "password too similar to previously used password" system
If they know that, they're not storing the password as a hash which means someone could steal their database and just read your password! Terrible.
@@michaelbeaver8281 When you change your password, you are always required to also enter your previous password. At which point it is trivial to compare them for similarity, independent of how they are stored in the database.
My government login system is like that lol.
@@michaelbeaver8281 when changing your password, you are required to give your old password to authenticate. Thus they have your old and new password in clear text at the same time without the need to store it.
My previous company required a password that was 12 chars long, upper, lower, numbers, special chars, no words etc. people just wrote their passwords on sticky notes and left them within a foot or two of the monitor. The company did a security audit and did a quick search of the office after hours one day and found something like 20 passwords stuck to the monitor of the computer, this included the MD and HR manager.
My new job has 2 factor authentication via microsoft that calls your phone, fine in the US but I spent a few weeks overseas and it broke down because the system was prevented from doing international calls...
Let's hope the company is paying your phone bill. Any requirement that an employee use their personal device for authentication into business facilities should never be allowed unless the employees can opt in and are compensated.
@@catatonicbug7522it would be terrible system design to use employee personal devices! I’ve never seen this implemented where the employee wasn’t given a dedicated device, (or a very locked down phone) to host the two factor authentication application. If the system were to use employee personal phones then all the effort at security is for naught, the employee personal phone is the weak link in the system, plus supporting myriad different possible employee personal phones would be an IT department nightmare.
@@catatonicbug7522 Or can optionally use a dongle. I do both. I do NOT want to get stuck without some way of getting in.
A simple prevention method for password cracking is to require a minimum time between attempts. While it doesn't fix anything, it does stop brute force attempts.
Very True!
Unless the password database gets leaked(Also assuming such database doesn't just contain plaintext passwords 😂)
And by doing this you've just made DoS (denial of service) attacks extremely easy and cheap. No, there are better ways.
A timeout will not stop brute force attempts, because brute force attacks are not made at the login level. Instead, they happen offline on entire datasets, usually leaked or stolen hash tables.
Except in the case of password data breaches, where there is no minimum time between attempts.
It is worse than you mentioned. Perhaps a part 2 could air some of my frustrations.
I had a 11 character password for a system I work with. It was old, so I went to change it to one with 16 characters. The system puked on this; it appeared to work but I could not log in. I did the "forgot my password" thing and found out that it was now only accepting passwords of 7 characters. So my 16 character password was cut down to the first 7 characters. I have not been able to convince the owner of the system to look into the security of the system.
On another system, I went to change my password and it wold not work. It listed no rules for characters or length, but apparently my password had some characters that were not allowed. I had to find this out through trial and error.
I avoid password overload for the most part by using a password manager with an auto generation tool.
The best option by far, since that also means no reusing passwords across services. One company's security failure then doesn't impact anything else. I just wish KeePass would recognize by default that every character category must be used, because that's how password rules work.
Thank you for the "Not that Bill Burr" that made the whole video for me.
I think the biggest question is, why do we need passwords for certain things. Why do I need to put in a password to pay a bill? Please, for the love of God, hack my account and pay my bill for me.
What are you going to do instead? Go into a company's website, type in a 15 digit account number, your 16 digit credit card number, expiration date, CVV, and a dollar amount? For every bill? No, you are going to log into the website that has your payment information stored, with just a username and password.
At least in US, none of my utility bills require a password or account
@@Banks4004also in the US, all of mine do.
privacy related to fiances, lets say your in debt but you dont want others to know. Well if someone had your details they could just check the balance to be paied.
Alternativly depending on how the infomation is presented (account number ect) this infomation can then be taken and used in socal enginering attacks
@@Banks4004 can someone just log in and see stuff like your address and phone number with only the account number?
Wait! 12345 got out!? I better change the combination I use on my luggage.
I find using a phrase or sentence complete with punctuation can often meet standards whilst being lengthy but easy to remember. Just because it is called a passWORD doesn't mean it has to be a word.
I like album names like: PinkFloyd-TheWall
@@bobyoung6446 Remember those password cracking lists and specialized software? That would be a really bad password.
Yeah, spaces as well.
@@bobyoung6446 There's no reason to leave the spaces out. They'll make your password longer and it makes it more natural to type.
That works until they say "between 8 and 16 characters"
On the security questions, I would suggest not using answers that have anything to do with the question.
I like to use the password generator to make my answers then store them in my password manager. If the site allows you to make your own questions, I do the same for those as well.
@@enceladusdarkhart7048 Are there still sites that let you make your own question? Yahoo used to do that in the 90s and I hacked several people's e-mail accounts because they put yes/no questions.
@@enceladusdarkhart7048 That is the hi-tech version of what I do
@@enceladusdarkhart7048That's effing genius! I generally do what the previous poster said, but that is awesome.
Recently I was setting up a security question and the "What was your first address" was one. I've lived in 9 houses in this small town. I moved from that place when I was 4/5. I do remember my second address. I am surprisingly good with phone numbers.
This is so true. My work is so bad for it. Once, I actually realized I had very similar passwords across multiple systems, and decided to make more of an effort when the computer told me to change one. It got rejected, rejected, rejected over and over, until finally I ended up sticking a 1 on the end of the old one, because the company system wouldn't accept a more different password, even when I specifically wrote it down on paper with all the changes, intending to change the password and then shred the page.
Let's not forget that a lot of people put there passwords into fake pages that they get in emails. No cracking required.
passkeys would solve that issue
Yet another reason to use a password manager. They will recognize the authentic domain and not offer to enter the stored password in sites that don't match.
Well, my password is "Password," which isn't too fancy, but it's okay as I added a '!' to the end make it stronger 👍👌
LOL
Set the password to "incorrect". Then if you happen to forget or miss type it the system will remind you. Your password is incorrect.
Still insane that the three credit agencies (which in no way do fiscal alchemy to come up with made up creditworthiness numbers) aren't more accountable for their breaches, nor the wrong information they have enshrined.
After a while of having to change passwords, I've changed up my passwords to include insulting the company it is used for. It makes remembering the different passwords WAAAAY easier.
Oddly, they don't monitor profanity use for passwords...
That's actually an oldschool security measure. If you set a password to something that nobody dare say out loud, that makes it less likely to get shared with anyone else.
When riding the security helldesk some 13-14 years ago, I had some really dense customer. Kept insisting the password I sent him didn't work. The system was designed to keep the new password from me, so I could not help him in this regard. But the script involves running pwgen, setting the password, sending out the email with the temporary password and the user logging in and immediately having to change one's password. After 4 more tickets over the course of 90 minutes and a phone call which became increasingly uncomfortable, in which I read him the documentation and explained it to him as calmly as I could. I then repeated the steps in the script and manually changed his password to "1'm@niD10t!" (without the quotes). Funnily I was never reprimanded by my manager for that and the user seems to have learned his lesson, because I never saw a ticket from him again.
As a senior software engineer who has worked in the IT industry for four decades I whole heartedly agree with pretty much everything you said.
Best way to actually make your account more secure: Use two factor authentication whenever possible. Then the security of your password does not matter that much any more.
(pls back up the codes so you don't get locked out in case you lose your phone)
As long as its not SMS 2FA, all the experts say that's no good anymore.
SMS 2fa is vulnerable to sim jacking true. But wouldn't that be a targeted attack not random like a sniffer?
I'm inclined to be more concerned by random sniffers than targetted attacks. I'm not important nor cool enough to attract such attention lol
Two factor authentication is stupid. If I log into an account with 2FA at my computer, it sends a code to my phone. Okay - but if I log into that account with my phone, it sends a code to ... my phone. If someone knows my login info, they can take my phone and get into my account.
@@RB-bd5tz but they need to get (into) your phone.
Some random hacker that bought a password list on the darknet will have a hard time to do so (and that is probably a more widespread threat, except if you tend to share your login credentials)
Bottom line is that a password authentication can only get you so far, no matter what requirements you put on them, or how much you try to train people in chosing passwords.
Multi-factor authentication is the only way to significantly increase the strength of user logins.
Exactly
Except that so many sites use text messages as the second factor, and those are SO easy to intercept.
But not with a limited IP source and time window for any particular log in.@@djp_video
@@djp_video How?
@@poeterritory It doesn't happen to most people because today there isn't enough financial incentive to do so (today). But if someone is determined enough, it is completely possible to make it happen and isn't that hard.
There are a few different ways. The most common is to call the cell phone carrier and claim to have lost the phone and issue a replacement SIM card or phone. Customer service reps at most cell phone carriers are typically not that difficult to socially engineer into allowing access to someone else's account. The other common way is to intercept the messages in transit over the air. (1) The encryption used for SMS text messages is ancient (1980s technology) and very poor, and (2) there are numerous devices out there which insert themselves as a "man in the middle" between cell phone carrier and cell phone, allowing the person with the device to see (and hear) anything they want. (Do an internet search for "stingray.")
The bottom line is that SMS text messages are NOT secure and shouldn't be trusted.
As an aside to this video and Simon may have covered this too - he's done so many, so who knows - but there was a data breach about 10 years back on a particular bank's PIN numbers for their bank cards. It found that over 20% of cards had one of 3 PIN combos. Now maybe that bank's customers were all somehow dumber and more predictable than average, but if not... If you get 3 goes before the machine swallows the card, that means 1 in 5 of those stolen cards could be used without tripping any alarms by simply trying these 3 combos and walking away to steal another if it doesn't work. What were those 3? Look it up yourself, I'm not going to do all the work for you.
Or to quote Spaceballs, "12345? That's the number an idiot has on his luggage!"
Wow, what a coincidence, that's the password I have on my luggage!
"By the way, the most common four-digit PINs according to the study are: 1234, 0000, 2580, 1111 and 5555 (scroll down for a longer list) - 2580 is there because it is a vertical column on a numeric keypad"
That's the ones, yes. Guess you remember the same study.
The key takeaway from both the video and that data breach is, to quote Minority Report, "the flaw is always human". When security only looks at what should be safe and scure from a technical angle and not include a people angle, they open themselves up to failure.
All your passwords securely stored in one place like, you know, all your eggs in one basket. Then *when* they get hacked and don't notice for 5 months...
Yeah, no security measure is 100% safe, but having a unique password for every site you use and keeping those in an encrypted vault is still better than trying to remember them all some other way. 2FA mitigates most of the downsides of a breach. If it is that important to you, you can run your own Bitwarden server and manage the security yourself.
How did this video not have a Spaceballs reference?
"12345, that's amazing! I have the same combination on my luggage."
"A great password is hard to guess but easy to remember" would be an excellent password.
Using a password manager, I often have the issue of the generated password being too long and including characters that are not acceptable
When I first started in IT, one of the most pertinent things I learned was, if a human made it a human can break it. There is no perfect way for us to have passwords and be completely safe.
Pebcak errors are real.
If it's super secure and involves people, the weak link is nearly always people trying to get through a work day.
and even if they follow protocol all of the time, they often can be mislead by social engineering.
Back in the day, I used "borrowed" passwords to gain more machine time.
Berkeley required them to be on punch tape in unprintable characters. You read the tape into the machine first, then could use your account. People regularly threw away the tapes in the small trash can in the room.
University of Maryland required a punched card be buried somewhere in your program deck. When people were done, they threw the deck in the trash. I found a couple of decks from the teachers and teacher aids. Those passwords let you create new accounts, sign on from another terminal, then delete the account from the first terminal. This way, no student account was being charged computer time, since the account didn't officially exist.
San Mateo college (San Francisco, calif. area) didn't have passwords.
MIT didn't have pre-assigned passwords, but you could only access the computer if you knew it's arpanet phone number (or were on campus).
Of the ones I tried, only Stanford defeated me.
Here's my tip for those password reset questions. When it askes something like what's your favorite colour? respond with something completely different for example, Dodge Journey. Why, because it was your first car. you just then have to remember this, I suggest recording the hints somewhere safe (as in not in a notebook right next to your pc)
"What is your father's middle name?"
"Guitar Nuclear Fathers Middle Name"
Major bank limits passwords to only numbers and less than 12 characters because they wanted compatibility with ATMs.
I don't use them anymore.
Btw. biometric safety is the worst of all. Its basically passwords you cannot change easily and forced to show of in public to anyone who can read.
And this is why, when the question is "what was your first pet's name?", I just paste another insane password in there.
I wouldn't make it too complex (in case you have to repeat it to someone who can unlock your account), but yes...random words are the way to go.
Most non-English, French or Spanish speakers as first language can survive a bit easier because most systems weren't built for them. I can use the simplest word in my language, sprinkle in some numbers, and most systems would say "strong password", which honestly is bs.
c'estlavie123
Strong password ✅
I honestly never thought of this. Would a dictionary attack factor in ^§×`~?
Worst offender I've yet to "have pleasure use" was technical university's STUDENT accounts: 16 marks long with caps, numbers and special characters, no dates or parts of user's name (the site checked&blocked). Add 90 day change cycle that required completely new password each time (again checked&compared to last 3 passwords). Worst part of the mess is that the password is needed to attend tests that you can't take any electronics or papers in with you... so good luck remembering 16 mark random string to log into the system.
At least the uni is pushing for passphrases instead of passwords but still remembering where the caps and special characters were...
So those clowns were storing clear text versions of passwords. Face palm.
@@macethorns1168If they implemented it correctly, they don't need to store the currently valid password...but only the old ones (which isn't much better, tbh). The checker software can get the current one from the user input.
@@HenryLoenwind They don't have to store the previous passwords in plaintext either. Just because it's no longer your current password doesn't mean comparing password hashes suddenly fails. Checking for trivial changes is also easy, since the trivial changes can be done in reverse on the newly entered password, and then the result being hash-compared with an old password.
"123456? Sounds like something an idiot would have on their luggage! Run out and change the password on my luggage."
There are still web sites that store passwords in clear text in a database, so literally ANYthing is better.
"Treat your password like your toothbrush. Don't let anybody else it, and get a new one every six months." -- Clifford Stoll
And use a different toothbrush for each tooth?
My dentist gives me a new tooth brush every time I get my teeth cleaned. But I don't see hackers lining up to brush my teeth!!! Maybe it's different with computers tho. :)
Unless you're on that mainframe and have very fast transfer rate, you can't put in 350,000,000,000 password per second therefore there there should be a small delay, 2 seconds. No matter how fast you can guest the password, it still be a 2 seconds delay. So a 6 length password using 89 different charters would take 47277 years at most to guest someone password right if done right. If you allow 350,000,000,000 password per second to be check then that the big problem.
Many login systems use a deliberate delay between attempts to do just that. They also use things like max retries before account lockout. However, these measures only prevent brute-forcing on the live system. If the attacker ever gets their hands on the password hash they are only limited by computing power in how many attempts per second they can make. That is the essence of password cracking.
@@drumguy1384 They should limit all try to 2 seconds delay between try no matter what because it would slow all down. 2 passwords per seconds is 1 password per second too many. You need to prevent a computer from guessing 350 billion passwords per second and thinking everything ok. You known that many tries would consume a huge amount of bandwidth that you need a terabit internet connection to do this
That first one minute segment was hilarious I actually laughed out loud. Good job Simon and your writers
Now that FIDO2 is a thing, we should all be using hardware keys for everything. Passwords should be a thing of the past.
I do so hope some IT security higher ups are watching this
One minute in and SW has already got me hooked. Sufficient sarcasm and biting satire to keep his lawyers busy for years. Keep it up
Gotta love it when you're told to create a password, so you do - and then get a screen telling you (*edit: screaming at you in red text) that your chosen password doesn't fulfill some requirements that they didn't tell you about in the first place. I've seen very few account setup screens that actually give you the rules up front.
Most annoying password requirement is from the surprising number of places that impose a MAXIMUM length. Immediately tells you that they don't know anything about storing your data securely.
All this in part: Is why I use an offline password manager(randomly generated/unique passwords) with TOTP and/or a hardware key for 2FA whenever possible...
A few years back - I practically had all my passwords within google chrome leaked from some malware... needless to say, I have been extremely paranoid about security since 😂
So you now know no passwords ... and if you forget the one for the password manager you have lost all of them
@@davidioanhedges That's a lot better than knowing them all because that probably means you know 1-3 passwords and reuse them.
Forgetting the password for the password manager is also not something that happens because you need that password every time you want to access your stored passwords.
@@RC-14 The amount of times i had to enter my database password...it has indeed been seared into my brain, practically muscle memory at this point! 😂
@@davidioanhedges As the other commenter said, *much much easier* to remember one password secure enough to outlive the universe in terms of brute force attempts...than trying to remember 3+ passwords at a time for each different service, that are nowhere near as secure...that you will also have to change practically every week with each new breach and in turn update every other service that used that same password...and incase you try to suggest storing on paper...that sounds super slow/inconvenient and could go horribly any time incase it was to be lost, stolen or somehow destroyed....lol
Everyone should be using a password manager in 2023 tbh, there is just no other practical compromises while also wanting to stay very secure...
Ha! Jokes on them! My password is impossible to crack. My password is... wait a minute!.. 😅
The worst are sites that require a special character but don't allow 5 or 6 of the normal special characters.
Preach it, Brother!! I have been saying all of this for over a decade, but more people think I am a crazy person. I mean... they are not wrong, but I am also correct...
I know this isn't a perfect solution, but at our company we used a setting in our MFA software to require the OTP provided by the MFA app before the password for locations deemed dangerous (Russia, North Korea, etc.). This one change stopped most of the brute-force attempts (and subsequent password lockouts) instantly. At least until the explosion of VPN software allowed those hackers to start appearing to come from the US. Our next step will probably be to make that the default setting instead of password before OTP.
"So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!"
I go nuts every time I have to come up with a password. At some point I am almost attempting to ask on Facebook for suggestive passwords.
Use a password manager.
I'm glad that I've never used "password" for a password (I'm not bragging, I'm legit just happy). I've found that a good system for me is I'll let my web browser generate a password and save it for sites that will have a limited effect on me if they're hacked. For logins like my email, I'll use a random password generator and write it down in a notebook and not save it on the browser. It is a little annoying when I'm asked to login again and I'm not in front of my computer but it's an inconvenience I can live with.
A friend of mine goes one step further. Their passwords are just strings of letters and numbers that are then put into a word document filled with random numbers and letters. So unless you know what you're looking for, the whole thing just looks like gibberish.
I have opposed the pre 2017 NIST password recommendations of complexity and frequent changes for more than 20 years, and was quite vocal about why. So much so that when the first draft of the changed recommendations was released in 2017, a former coworker immediately forwarded it to me with a note along the lines of “the NIST is finally catching up with you”.
Some people who I used to work with at the Motor vehicle training center. You know, they're not dumb, but Computers aren't the sort of thing they have a skill set for, particularly for the ones close to retirement age.
Person 1. He literally used a marker to write on his desk, a number. What was that number? Well, say the number was 68, that meant his password was "Sixty8". The reason why he did that, is because he had to change his password every 3 months, so in 3 months his password would become "Sixty9".
Person 2. He refused to even touch the computer, but with the modern work systems, he had to log in to check for important emails, or even do training on the computer. So, not only did he just tell everyone in the office his password, but he'd periodically ask them to log on as him to check his email, and training was typically somebody else logged onto a computer, with him sitting next to that person, saying the answers to the training questions.
As an IT specialist I have seen the battle wage between administration and users over the years and they always avoid the root of the problem.
That the administration wants users restricted from having access to the information that users need to do there job effectively because they don't think they need that information because if the business processes work correctly the users don't need that access. Problem is the business processes almost never work as intended.
Add in the fact that users are usually not computer expects and don't know what they need one the network, and the IT staff not knowing how to do the users' jobs also don't know what access is needed. This just complicates the problems and frustration.
Social media posts that say things like, "Bet no one remembers their 5th grade teacher."
Then 1.2k people respond with their teacher's name, half of which take the time to reminisce on the good old days of childhood.
Good ol' Mrs. Phisher
My 3rd grade teacher is my neighbor behind me. My current neighbors to my left are the parents of the woman who was my neighbor to the right of my old house. Oh, and my current neighbor's brother wanted to buy our house 2 houses ago. Small towns are weird.
One of my favorite computer password experiences was when the system asked me for my (security question) father’s middle name. I confidently typed it in only to be told that I was wrong. So I thought maybe I had capitalized the first letter, so I confidently typed it capitalizing the first letter…and was again told I was wrong. I ended up having to redo my entire password and (definitely) selecting a different security question.
Funnily I have my own paranoid method for those security questions as putting something no obvious in there that makes sense to me, but is totally unrelated to the question.
@@EyMannMachHin Just another thing to have to remember -or write down somewhere so you can find it later.
I'm very tech orientated, but I'd been using the same password for 25 years 🤦🏻♂️, up until last month when I finally had an important account comprised. I now run my own password manager on my own internal server.
In the first job I had that required cycling of passwords (it remembered the previous 12 passwords), I simply wrote a script that would change my password through thirteen other passwords, then back to the original one.
Diceware - 5 million-word lists, randomly select one from each list - say by throwing a million-sided dice - The words returns are highly likely not to be related in any way.
My school says you can’t reuse any of your last 5 passwords, one of my old jobs said you couldn’t reuse any of your last 10 passwords, my current job NEVER lets you reuse a password. They all require you to change your password every 90 days.
Best password: Write down your best rant including all the curse words. Write down the second letter of each word. Change some letters to numbers and capitalize in the correct place. Use a random character to replace all the punctuation. You’ll never forget it.
I'm in USA but many places, even social sites won't let me use ' £ ' as special character or allow it then give 'wrong or incorrect' password error?
Thank you so much for this video. I work for a public utility that employs about 14,000 people, most of whom work in an office. Some work in the main office while others work in one of the 43 other offices in California. It goes without saying that the IT department has their hands full keeping the network secure. For those of us that don't work in an office, we work in the field with very little need for a computer, yet we are held to the same Nazi rules as office employees. I work alone as a truck mechanic in one of their remote garages. I use the computer to input my time and the information on whatever piece of equipment that I repair. I have zero access to any company records, grid information, or anything else. A hacker would die of boredom if he got into my computer. Still, I am required to change my lengthy password every 90 days, and am logged out after 2 minutes of no activity. Its absurd! Not only that, my company issued cell phone that has no apps other than what came with the phone has to have the six digit unlock code changed every 90 days. Again, why? Someone may unlock it and make calls if they steal it? There is no information on the phone. I was better off with the flip phone they gave me years ago.
I'm just thrilled Mr Whistler quoted Castor & either he or his writer is a Legacy fan. That's made my day but then we're hardcore TRON fans in this house.
Tron Legacy and its soundtrack are both absolute treasures. And one of my daughters is named after Quorra :-) -Daven
Amazon makes employees create a password that has at least 8 characters, one upper case, lower case, special symbol, and number. It also CANNOT contain ANY dictionary words, at least correctly spelled.
Regarding the security questions, I recall one time in my life that I was applying for (I forget) something online. Possibly a bank loan. Anyway, in order for the system to verify my identity, it apparently scraped my records and had me take a questionnaire about myself, including which was the first model of car I owned, etc. When I saw that it already knew the answer and just needed me to pick the right one, it made me question the strength of those password security questions that ask me the same thing if someone else could scrape my historical records, too. Apparently, the only smart thing to do with the security questions is to lie on them but then you have to remember the lies.
email yourself the lies. GMail, hotmail and quite a few others are encrypted and better defended than the password database of whatever stupid site is asking you silly security questions.
what about passkey, just do away with passwords altogether. We have finger print scanner and windows hello but IT has it disabled on our laptops.
Fine until you lose it ... or it breaks ...
Not requiring passwords is still the best approach.
The user should not need to remember more than one single password, and that's the one of the password manager.
All other passwords should be retrieved automatically from this password manager.
Also, the password manager should if possible automatically decrypt with your user password when you log into the PC, which makes it more convenient and causes people to actually use it.
Then, when you actually need confirmation that the correct user is asking for something just require a fingerprint or pin.
The best passwords are long memorable phrases. No tricks or gimmicks, just lots of characters arranged in a way that makes sense to you. As soon as you get over four words, the number of possibilities explode beyond all reason and most people have unique passwords. Incorporate the name of the site into your password somehow and you get around the reusing issue as well. IF you use usb-keys, store those recovery codes. It is not a joke when they say if you lose your usb-key and don't have those codes, you won't be able to get back in to your account.
I absolutely need to write down my passwords for everything. I cannot remember all of my passwords. Indeed over 80% of my passwords are exactly the same.
Use a password manager.
A password manager I can reccomend is bitwarden. It's free and open source
@@colt5189Use the discount that Simon has for NordPass!
@@colt5189 Then they'll write down the master password.
2 of the schools I work with had an IT security audit THIS YEAR, and the auditors still wanted them to force staff to change passwords every 30 days. Absolute facepalm.
This aligns with the password policy I set, while I had IT responsibilities.
- No scheduled change
- only require minimum length
Then new owners came, and users started complaining, and then making easy to remember algoritms to remember their new password or just using a post-it.
You make a good point, but don't necessarily go far enough. Using reliable biometrics, combined with a machine-derived passkey pair, you can absolutely limit access and improve everything and you go beyond passwords altogether. Passwords are the past overall; we already have better. It's time for all of that existing infrastructure to begin using truly unique, unbreakable access methods.
Cheaper computer models don't have biometric sensors. So how would that work
@@theghost9667 Likely the way things like that are always done, either by carrot or stick. The carrot being some sort of government incentive for including these very inexpensive sensors; the stick being threat of banning, either outright or through government acquisition blocking, which kills things far quicker than any legislation. It could even be cast as a bill in Congress to incentivize or ban...it's happened frequently in computing since the beginning. The same way cars are mandated, in other words.
@@nukadog1969 but the law should also include that the cost is not just transferred to the consumer price
this doesn't and can not work for one simple ass reason:
it would involve you needing to be able to trust random internet services with god know which ulterior motives and garbage security with your biometric data.
also biometric data scanners suck ass anyway, i'm faster typing in my unlock number than trying to unlock my phone with the finger scanner.
@@windhelmguard5295 in my phone it is the other way around. I guess it depends on the model?
Simon, you are a gem. I've been hating having to change my passwords every so days because it makes no sense! "another one to remember? I'll be running out of ideais soon, I have to start writing them down". I am opening up this discussion at my company and now I have some studies, thanks to this video, to back up my claim! Viva la anitpasswordution!
On a side note, you shouldn't keep your keys at the same place like a key ring or a purse because someone finding your car keys would also have your house keys.
And of course, avoid windows on your house because they are a security weakness.
In modern times we use encryption to protect our sensitive data. Encryption with increasing sizes of keys because a weak (too short) key can be brute forced or otherwise exploited to get at the data.
So for a 64 bit key (which is super weak today) you already have 18,446,744,073,709,551,616 combinations to choose from. Yet is easily broken by a strong computer.
64 bits is just 8 bytes. Or 8 characters in your password if you will. And you have 256 different characters to choose from (including null and the special characters like line feed, carriage return, beep and backspace etc...
That is to say that if your password is weaker than the encryption you are using then they aren't going to break your encryption first, they are going to break your password no matter how random it is.
We are up to the point of using encryption that is 256 bits. That is corresponding to a password of random characters chosen from 256 available of length 32.
So unless your password is 32 characters long and entirely random, your security is only as strong as your password.
As has already been explained though, remembering 32 random bytes... yes, bytes. Not letters and numbers and symbols but actual bytes... is damn near impossible for humans.
The best bet for being able to remember that would be to memorize this: 31415926535897932384626433832795 which is the first 32 digits of pi. Of course that would be on a list of common passwords so don't use that!
Which brings me to said list of common passwords. Even if your password is 32 letters or digits. Chances are that those letters and digits are already on a list of known passwords because you have to be able to remember it and as such you are likely using a combination of letters and numbers that is likely for a human to remember and so it exists in a database somewhere.
The best password is one only you can remember. But how do you know that?
You of course become a hacker and collect all the password breaking tools known to mankind to continually break your own "random" passwords until you find a password that you can't use said tools to break in a given time frame.
Of course you would still have to develop a pattern for how to remember the password, lest your efforts of creating the password becomes moot and so you'd do better to just get a USB key.
Now, since we are still human. At least you can use a password that you can remember that is LESS likely to be in a database. And those are completely new words. New words that have no known words inside of them, lest they be found by stringing two or more known words together by the password cracker.
Say you want to use "Correct Battery Horse Staple" as a password... You should now invent a new way of saying that.
So it could be "Cawregt Bortery Haws Stalpe" which would likely be a much stronger password and all you have to remember is how you chose to incorrectly spell those words.
And another option could be to use very uncommon words from other languages if you know them (because English is the number one language targeted in known password databases) such as "Ölkagge" (Beer Belly) and reverse the word so the password would be "eggaklö". Stronger than choosing a known word and adding/replacing letters with symbols and capitalizations.
Of course you'd also want something longer than that since it's only 7 letters.
Funny thing is, the latter example with the letter ö in it is likely not going to work because the platform you are using to choose a password on will RESTRICT you from using anything but letters, numbers and common symbols. Even blank spaces are prohibited... THAT is a major flaw as a password is meant to use all available variations of characters the same way cipher keys are.
But it's worth a try. So know or learn a different language and use a word with more than 8 letters from said language in reverse and you are instantly in the top 1% of hardest to break passwords.
The company I work for finally went from a minimum of 8 characters with standard mix, changed every 90 days to 14 characters with standard mix and never changed.
Based on the Washington sports team reference, I guessed that Daven wrote this one.. I like the Ichiro bobble head on his bookshelf!
Beyond annoyance of it all, as someone with a B.S. and M.S. in Computer science this password thing has driven me crazy forever. So when having to needlessly complicatedly change my password like every time I login to my company's accounting firm web portal, which requires changing password every 90 days... Even though a service I only have to login to about twice a year 🙃... You can see the frustration. Many state and federal business related portals are the same. And similarly rarely need accessed. And similarly don't let you use a previously used password and must be VERY different from any of those... And super complex to humans but not to machines. So it's every freaking time. So I did some taxes a few weeks back, and then immediately wrote this. 😋 I hope the subtle rage comes through. 😋 -Daven
@@TodayIFoundOut We all share your pain. Typically the accounts with the worst consequences if compromised, such as bank accounts and e-mails, have the least restrictions. If it's something that I'd hardly even notice if someone hacked it, such as my F1TV account where the worst they could do is cancel my service, you can bet it's going to have rotating passwords, a minimum length of 37 characters, every punctuation mark and special symbols including F-keys must be used, etc.
I'd say there's 2 or 3 levels of password security requirements.
1. Banking and government services (tax, health, etc.)
2. (possibly 1) Work account, email account.
3. Everything else. Shopping, TH-cam, Netflix, etc. etc.
1/2 must be extremely secure. 2 factor at least.
3 shouldn't use passwords *at all*. You log in by proving you have access to the email-address or use an authenticator app or something like that.
Anything involving payment should be protected by 3D-secure or similar.
"And to illustrate the power of length..."
Giggity.
So, we all just sat through a 23 minute ad for a password manager, written by an employee of the sponsor?
Yeah, kinda...
Password managers mean you don't know any of your passwords, and if you lose access to it you have lost everything ...
..another ridiculous solution
Meanwhile if the people that are going to try and steal your password will never be physically present ... writing it down is much more secure
So you store a written copy of your master password somewhere safe. Problem solved.
Avoiding password managers makes you so much more secure in every way that it's laughable that anyone dismiss them outright. The added security added by having a password manager is such that they should almost be mandatory if someone is going to be on the Internet.
Any password that you can remember is any abysmal password. Anyone in computer security will tell you that.
@@djp_videoA password manager is a massive target, any flaw however minor *will* be exploited, the companies who run them regularly get hacked, according to them they haven't leaked passwords ... but ...
Throttling login attempts/freezing does more than complex passwords.
You can only brute force if database leaks. And that's a different kind of security problem.
Unfortunately there are enough recent data breaches to build up quite a large amount of training data. Time outs are good for low level brute force attacks. That being said It is very possible to cycle through different proxies(varying gateway between you and the connection to the internet) to make the attacker appear to be logging in from different locations. The program brute forcing can take all these and more into consideration to avoid triggering a lockout or freezing of attempts to login
For the sake of defense in depth, you still want to have a good password.
However, most people's idea of what makes a password "good" is terrible. The absolute best thing you can do to make a password better, is to make it longer, and if you need to reduce the character set to only lowercase letters (and maybe spaces or hyphens to separate words) and make it out of dictionary words so you can remember it, adding an extra couple of words onto the end is more than enough to compensate and net you a higher overall complexity. Honestly, just use a sentence.
The exception is for that one password you have to type several times an hour, which is going to end up in muscle memory; for that one, you can save time typing it by making it shorter, and it's worth avoiding dictionary words and using a mix of types of characters in order to accomplish that because anything you use that often is going to pretty much memorize itself. But this is the exception rather than the rule. Most of your passwords should be longer and easier to remember.
@@AnthonyCarlyleIf the account itself is locked, it won't matter how many different locations you appear to be trying from.
@@JohnClark-tt2bl Ahh very true. Ty
Q: What is your mother's maiden name?
A: "I'm a goofy-goober. Rock!"