tomscott.com - @tomscott - A brief introduction to password hashing for the uninitiated -- and why you should never trust a site that emails your password back to you!
I almost had a heart attack when I started working where I do now and discovered all of our user's passwords were in plaintext. I brought up objections to it, and was told it wasn't worth changing because we don't hold onto any data that really matters (basically an email address). Had to point out that the passwords the user uses are probably the same password for accounts elsewhere; so if I could see their passwords and email addresses, then I could probably log into their email and just go from there. They still didn't think it was really an issue. After arguing and out of desperation I had them pick a random user from the database, and I used the clearly visible information to log into that user's email. Suddenly hashing the passwords became a priority.
@@itismethatguy ...probably almost had a heart attack when his email provider showed him another device he didn't know had logged in to his email account.
@@Xnoob545 It's at least a good starting point. I know, some hashing algorithms can relatively easily be reversed these days but there are always new hashing algorithms that are more time-consuming to crack.
Kind of disappointed you didn't end on "if you find a website that DOES email you your password, run, because proper security is... a thing they might not know."
@@maoitsme0 I realize this video and comment are old, but I just wanna say that people don't use MD5 because it's too fast and is prone to collisions, which is really bad for passwords. Use something like bcrypt instead.
Adobe sent back password hints, not passwords. It's not quite as bad as sending back passwords but given that password hints are typically easy to solve, it's still rather bad.
Does Adobe send passwords? I thought that their database got hacked and the hackers looked up the passwords up on a rainbow table. Adobe's fault for not salting the passwords.
I was also surprised to see that the forum for the LWJGL (a Java game library) sends you your password. Now it's a fairly small forum that's probably using some forum generator service, but still - I'd expect a bunch of programmers to know not to do this stuff :D
***** Seconded! Though I'm not a member of that community (I have used LWJGL in the past, though), I'm sure all the programmers there would be glad to know of and to try to patch any security flaws.
"If you ever find a company that does email you your password when you say you've forgotten it, well, run" I'd love to, but they control the entire college textbook market and I have to use their services to turn in my homework.
The best you can do then is make very extra sure that you do the thing you ought to anyway: use a different password with them than you use for anybody else. That way if (when) somebody lifts their password & email database, that somebody can't get access to your other online accounts by just trying out your email & password combo with lots of sites.
I made an account with a hosting service at one point, I had an issue logging into my account and they emailed me my password. This video is what saved me from putting my personal and payment information into that website.
aah yes, the good old days of receiving your password as an email when you'd forgotten it. Also, salting (for those interested) is the act of adding random bits of rubbish data to the hash. Any potential hacker won't know what part of your password hash is "real" and what is part of the "salt", making it effectively impossible to reverse.
Tom finishes the video with I've made video about password hashing over on computer something but doesn't link in description... this is the comment I was looking for, thanks! Don't need to find the video now.
There's also peppering, which is similar to salting, but your byte sequence is universal for every user and importantly is stored in code. That means a hacker, who got their hands on the database, won't be able to brute force the hash as they are missing part of it
So I was once signed up for a bank service that emailed me my password in plain text in a confirmation email. Needless to say I didn't stay with them for long.
That's not the same, you could enter a password saved as a session variable - $pass. Then when they email you, "Thanks for being with us, your password is $pass", and then once the scripts have been ran and you close the browser window, ending the session, the variable is forgotten.
Your bank uses passwords? In my country banks have several security features aimed at making direct attacks impossible. One of them is avoiding passwords, and instead using sms-messages and special programs on the phone.
We visited a security company with a cryptography course I did in the summer holidays. My favorite stories from there were a) the director of a company with "password" as a password and b) a company that managed to mess their hashing algorithm up in a way that hashes of passwords would be counted as the password (they realized their mistake after someone got into that database and deleted all of their data - they didn't even have back ups of most of that)
The Hashing Process: Take a coherent sentence → Smoke some hash → Your coherent sentence has been converted into indecipherable, illogical ramblings on the meaning of life and conspiracy theories. WARNING: After hashing, you may feel an increased need to accept cookies.
Thank you for the simple explanation. I often tell others about this, but if they're not techies, their eyes glaze over at an over-complicated explanation. This one was short and sweet.
When I was signing up for University accommodation, I was blown away that the system emailed me my password in plain text just as a reminder a few days before moving in!
+Alex Harris Sending passwords via email is terrifying in 2 ways: 1) what the video is about (they have to store it) 2) e-mail goes unencrypted over the public internet, and therefore is interceptable by almost anybody, way easier than cracking the database of the server. (sorry for the reply to an old post, wanted to terrify you some more)
tadej petric uhm, no, emails are usually unencrypted, your communication between your client and your mailserver might be encrypted, but the communication between mailservers on the net happens unencrypted. So if I were to send an e-mail from my work e-mail to my gmail, it would go encrypted from my laptop to my employers server, then unencrypted to the google servers, and then encrypted back to me.
Simon Peeters Oh yeah, I was thinking sending to the same domain and all. I've heard that stuff like that is different, but never found anything concrete (and I was only thinking sending to the same mail provider, which, AFAIK doesn't really leave the mail servers unencrypted. Forgot completely about that thing). I'm not going to argue on that since you're probably right. If you find any further read on that, please send me a link. I couldn't find anything relevant, but I've had troubles finding a good search term so you might have more luck here. Edit: either way, most man in the middle attacks don't happen when traffic is being routed between major web servers (but rather between you and the ISP unless there's some DNS spoofing involved or something like that) so at least that's something.
+tadej petric The problem isn't the e-mail being unencrypted. The fact that they can e-mail you your password is a sign that they aren't storing it securely in the database. Take Adobe, for example. They were encrypting passwords but not hashing them. There was a direct relationship between the password length and the encrypted password length and there was no salt so everyone with the same password had the same encrypted password. It was easy then for hackers to even use things like the collective password hints to guess / crack the passwords. This is why it's scary. The security of the e-mail doesn't even come into it.
Awesome but how about this: Facebook sometimes shows a message when you type in your password but you where off by a character: “Your password is wrong but close, please try again” or somethig like that
Well this is actually not that much of a problem (but still not something I am comfortable with), because facebook takes your input, if it doesn't work replace some characters you typically type in wrong (think of "I" instaad of "L") and try that again. If one of those matches, you get the message "it is close"
My password story usually goes like this: Me trying to log in to a website or app App: please re enter your password Me: enters password App: password incorrect please re enter password Me: enters password (it's DEFINITELY this password) App: password incorrect. Account locked. Please create new password Me: enters password I have been attempting to use the whole time App: password cannot be the same password used previously Me: ARGHHH
i live in tiny holland. no building here before 2000 was allowed to be higher then "de dom" which is a church from 1487 (or further back even) and is 151 meters high. now i see the building on the background and i really realize just how puny and tiny our buildings are
Assuming you are talking about De Dom in Utrecht... then something is wrong here. It was built between 1254 and 1517 (in fases). It is 112.32 m high. There are other buildings in The Netherlands higher than 112.32m: - Delftse poort, 151m high, finished in 1991 - Rembrandttoren, 150m high, finished in 1994. So... what are you talking about? :/
WOW! This was really enlightening. Thanks, Tom, for this small but crucual bit of information. P.S. I really like your videos. You explain everything in such an easy to understand way.
I'd really like to see more of these in a web series or something. Very basic information, dumbed down for non-technical users. I used to work for an ISP so this kind of information would have been awesome to have. "Why can't you just tell me my password for the Internet?" - "Well, because we have a system admin that actually knows about security. Let me change your password and then I'll send you an informational video, darling." God that would have been SO useful.
Important distinction between hashes and prime factors: with hashes there's information loss, which is why it's so hard to crack, because one essentially has to guess what information was lost. With prime factors we genuenly don't have the maths to make an efficient algorithm on classical computers to factorize numbers, there's no information loss, humans are just too stupid.
I sincerely love all your videos! You just have this wonderful, and soothing tone that sounds very BBC (if you get what I mean!) Not only that, but the topics you cover end up grasping my attention for hours at end! Please keep it up! :3
This is probably the best explanation i have ever had for password encryption ever. I have had people try and explain it before but this way is so simple to understand
well it is technically not an encryption, and using actual encryption for password storage would be a BAD BAD idea, since encryption can be reversed, however yes it is a good explanation of the basics of secure password storage/password hashing
Cool video (though I've seen the computerphile ones before and they quite helped me half a year ago when I got serious about back end dev!). The preview looks AWESOME. Looking forward to it!
Fun fact: If you use Showbie in schools, not only does Showbie just store your password, teachers in the classes your in can see it if they press a reveal password button on your name... run
I still remember when I create an account for a website, and they emailed me my username AND password to say "Welcome to ..." I never thought much about it because back then, I don't know ANYTHING about password, encryption, hashing, and I even use the same password for all of my accounts. But now, good god did they store my password in plain text
I have actually been working on an encryption program myself, just for fun. It's using kinda the concept of prime numbers, but it also has to work in tandem with a unique 8 digit key, which is a secondary piece of information provided for the user. The algorithm changes based on what key you give it, so the database comparison only works if you have both parts.
I've recently been sent my username & password (together) in an e-mail from a web service. Other people have raised this as a potential security flaw, but the site owners appear to be in denial, saying that the security complies with all of the Government's recommendations (it's a service backed by an arm of UK Govt). I doubt it does.
Perhaps you should tell them to send the I'd and password on a postcard or the back of a sealed envelope through the post and see if they (and the government) think that is ok and not a security risk. (Plaintext emails are akin to postcards- anyone (with sufficient privileges) on the servers through which they pass (plus packet snoopers) can read them.
+Joel Reid they could, usually though they know the hash of that password stored in the database and email off the plain/text on submit. After that its the plain/text password is tossed, when you type the new temporary password in, a hash comparison is done like always and then they ask you to change it again. This is also typically known as a reset token, its the same basic concept which allows you to be validated and authenticated to change your password. Usually for password resets you wont notice the token though, usually its embedded in the URL something like ?token=12301i24kjbh124ljhsdpfiuh28 I handle this by assigning a random token to a user's row in the db, and setting a flag like resetPassword = true. they click the link, software checks the token and checks if resetPassword=true, if it does then it asks for a new password. Temporary passwords work the same way theres just a manual intervention of the user having to type in the temp password.
+Joel Reid That's true, but that temporary password is salted in the same manner as the video said, so they really only know it from the email logs (ie. it's not stored in the database).
I worked at a SaaS place that had passwords stored in plain text in the users table. It was a platform the company had acquired and was phasing out, but it was still a bit of shock. We had to convert some customers sooner than others since they were in a state that required more stringent security practices from vendors.
I've been a software engineer for years and definitely know how hashing data works. still watched through it and enjoyed it, and IDK why youtube recommended me this.
it's an old video mate. nobody knows back then besides, if the users uses weak password like 12345678 or qwertyuiop (or any dictionary words), the password could be "easily" uessed using combination of Brute Force and Dictionary Attack
Tom thank you so much for this particular video, especially the ending as I'm sending it right now to a client of mine who is asking me why am I telling them to change their hosting provider after they recovered a password in a plain text email :))
xato909 Simple. TH-cam's subbox is shit, therefore anything would be better, due to it's ease of use, the ability to get "instantly" the message that a new video is out, even before it's public (sharing the link to an unlisted video) and being able to interact with the uploader, Twitter gets my "8/8 m8" award for the best TH-cam subbox of the year. Developed enough for ya?
The only, small bit of info, I think was lacking - was that the hashes made from passwords are (or rather should be) unique. So that ,not only reversing operation to get a password from hash is nearly impossible, but getting the same hash from 2 different passwords as well. Otherwise - nice, clean and easy to follow for anyone :)
Hi Scott great video love this type of content. I think something you missed explaining to the regular user, is that if someone steals that hash of your password it’s no good because when they put it through the same algorithm it won’t give a useful answer. A lot of people will not understand this without being told.
I was very disturbed when Virgin Media sent me my password in plain text, IN THE MAIL. It boggles me how one of the UK's biggest ISPs is so lax on security.
+Jan Novák They shouldn't even be doing that, most e-mail is not secure. Passwords should always be generated by sending you to a web page on the site with time sensitive authorisation and allow you to type in your own password.
El Burrito That's why you're supposed to change the password as soon as you log in. Plus, I don't think it matters, if your email is compromised, whether you get a link to change the password, or send a newly created password.
+TheCrafting Criminals Never heard of a molecular computer. Quantum could theoretically break what we use currently but there are still ways around it.
But doesn't that open the possibility that a different password will be accepted instead of your real one if it hashes to the same code? Let's say your hashing algorithm is "number % 10", then if my password is 244, I could type in 384 and it would work.
+Najarala Some operations are many-to-one. That is, different inputs can result in the same output, which is your concern. However, the hashing/salting algorithms used for cryptography are always one-to-one operations, meaning that there is absolutely no way that two different inputs can result in the same output.
That's wrong though. If you hash server side, you MUST, at least for a short time, store the password in plaintext on RAM. Also, most password hash algs aren't "hard" to do backwards, but absolutely mathematically impossible, simply due to overlap.
Most websites don't hash server side though. Usually, the client hashes the password, then sends the hash to the server to be stored; preventing a plaintext copy of the password from being intercepted during transmission.
Oliver: That is wrong and a really, really bad idea. If you create the hash+salt on the client side and send it to the server to be stored, it effectively becomes your password that you send and store as plaintext. Intercepting it would have the same effect as intercepting your original password. If the user database was leaked, anyone who saw the hash could log in to your account easily by modifying the login page code a bit or doing a manual HTTP query. You'd lose almost all the benefits of hashing. Hashing isn't a sound way of securing your traffic. You should encrypt traffic properly with TLS. Re-hashing the hashed password on the server side and storing that would prevent the plaintext problem, but it also adds the disadvantages that come with peppering. Suffice to say it's not good practice. There's a whole slew of other problems with client-side hashing. Updating encryption algorithms would be tricky. I won't even go into the problems specific to browsers.
clever fella :) thank you for giving us a few quick tricks and some interesting facts ^_^ keep up the good work Tom :) (seriously thought you were the lead actor off of spooks for a moment there :P ) have a good day today ^_^
Or sites that set a limit like "password cannot be longer than 15 characters" There's no reason to do that unless you want to save space and avoid errors surrounding plain text... So hopefully not the passwords!
![ไม่ต้องมีที่ที่ให้ฉันอยู่ แต่ขอแค่มีฉันอยู่ก็พอ (Spaceless) - getsunova [OFFICIAL MV]](http://i.ytimg.com/vi/4N8idbxZ-7M/mqdefault.jpg)
![Genshin Impact | กาชา Clorinde ไวฟุนั้น ควร C6 [เทสตัวละครต่อ]](http://i.ytimg.com/vi/SOVaBvL7K20/mqdefault.jpg)
![[UNCUT]"เศรษฐา" โดนบีบให้ลาออก เผยดีลลับ "ทักษิณ" ต้องต่อโปร ไม่งั้นเจอจุดจบ! I คนดังนั่งเคลียร์](http://i.ytimg.com/vi/XlH3k81dxmE/mqdefault.jpg)
I almost had a heart attack when I started working where I do now and discovered all of our user's passwords were in plaintext. I brought up objections to it, and was told it wasn't worth changing because we don't hold onto any data that really matters (basically an email address). Had to point out that the passwords the user uses are probably the same password for accounts elsewhere; so if I could see their passwords and email addresses, then I could probably log into their email and just go from there. They still didn't think it was really an issue. After arguing and out of desperation I had them pick a random user from the database, and I used the clearly visible information to log into that user's email.
Suddenly hashing the passwords became a priority.
Thanks for protecting the consumers
That one guy...
@@itismethatguy
...probably almost had a heart attack when his email provider showed him another device he didn't know had logged in to his email account.
Hashing isn't even enough these days
@@Xnoob545
It's at least a good starting point.
I know, some hashing algorithms can relatively easily be reversed these days but there are always new hashing algorithms that are more time-consuming to crack.
I don't know my password either! Wow I am so much like Youbtube.
+MLG Cthulhu
you just open your favorite browser and it works? :D
Freakschwimmer yeah.
+MLG Cthulhu mines randomly generated, i just keep an encrypted file so i know what to enter where.
+Tomuhawk clever
👏
That's okay, I can't remember mine, either
How did you get to your TH-cam account, then?
It's stored in his Browser +pixar121
I just download one of those ad infested password managers from softonic,works like a charm!
Obviously I'm joking...
That means *noone* knows!
It's the perfect way to hide your password.
Kind of disappointed you didn't end on "if you find a website that DOES email you your password, run, because proper security is... a thing they might not know."
Even hashed, hashing with md5 is still not secure tho
Slightly grammatically incorrect, but I'm with you
@@markmayonnaise1163 better?
Md5 is garbage.
@@maoitsme0 I realize this video and comment are old, but I just wanna say that people don't use MD5 because it's too fast and is prone to collisions, which is really bad for passwords. Use something like bcrypt instead.
"If they do [send it back], run. They have no idea what they're doing."
*Cough* ADOBE *Cough*
Adobe sent back password hints, not passwords.
It's not quite as bad as sending back passwords but given that password hints are typically easy to solve, it's still rather bad.
Does Adobe send passwords? I thought that their database got hacked and the hackers looked up the passwords up on a rainbow table.
Adobe's fault for not salting the passwords.
They used to a few years ago, but once they were hacked, changed it. Massive leak of data because they didn't store passwords correctly.
I was also surprised to see that the forum for the LWJGL (a Java game library) sends you your password. Now it's a fairly small forum that's probably using some forum generator service, but still - I'd expect a bunch of programmers to know not to do this stuff :D
***** Seconded! Though I'm not a member of that community (I have used LWJGL in the past, though), I'm sure all the programmers there would be glad to know of and to try to patch any security flaws.
"If you ever find a company that does email you your password when you say you've forgotten it, well, run"
I'd love to, but they control the entire college textbook market and I have to use their services to turn in my homework.
The best you can do then is make very extra sure that you do the thing you ought to anyway: use a different password with them than you use for anybody else. That way if (when) somebody lifts their password & email database, that somebody can't get access to your other online accounts by just trying out your email & password combo with lots of sites.
And don't leave sensitive information (eg Credit Card) on that site.
Dang it CollegeBoard!
Just ask them how that is possible if they are storing passwords securely with a salted hash
Just print out your homework and give that to them lmao.
I made an account with a hosting service at one point, I had an issue logging into my account and they emailed me my password. This video is what saved me from putting my personal and payment information into that website.
+Ispira Was it 000webhost? They recently had a huge data breach due to them not hashing passwords securely.
i once forgot a password on ucoz and they literally just opened a window with my password in it
I know this is an old comment, but it was most likely 000webhost.
@Artyom Fomin |:| Without any email confirmation? Anyone can literally just say forgot password and get access to your account?
@@jmejuniper no, because if u do forgot password, they email it to the person with the email connected to them
"neither does Facebook"
oh, the good old times before we found out FB stored passwords in plain text
*major vulnerability in debugging logs made for when they were creating the site*
Facebook: eh, forget about it
@@ezshroom ha, log vulns
I wouldn't be surprised if TH-cam stored passwords the same way Facebook does.
@@legendgames128 considering google hasnt had any major database leaks they def care a lot more
@@Heha323 Oh I wasn't talking about that, but good point.
aah yes, the good old days of receiving your password as an email when you'd forgotten it. Also, salting (for those interested) is the act of adding random bits of rubbish data to the hash. Any potential hacker won't know what part of your password hash is "real" and what is part of the "salt", making it effectively impossible to reverse.
salting also prevents same passwords hashing into the same thing
Tom finishes the video with I've made video about password hashing over on computer something but doesn't link in description... this is the comment I was looking for, thanks! Don't need to find the video now.
There's also peppering, which is similar to salting, but your byte sequence is universal for every user and importantly is stored in code. That means a hacker, who got their hands on the database, won't be able to brute force the hash as they are missing part of it
Fisch37 salt and pepper. Is there another security measure named after food or the like?
@@legendgames128 Sadly, I'm not aware of any. However, if anyone manages to serve a cyber security meal, I'd like to know
"Facebook doesn't know your password either"
That aged well
😅
So I was once signed up for a bank service that emailed me my password in plain text in a confirmation email.
Needless to say I didn't stay with them for long.
That's not the same, you could enter a password saved as a session variable - $pass. Then when they email you, "Thanks for being with us, your password is $pass", and then once the scripts have been ran and you close the browser window, ending the session, the variable is forgotten.
This wasn't a session thing, this was some time later I hit a forgotten password request and it sent me the password in full.
Uhm it's still in his email right?
Not when requesting a new password. Tom just didn't specify the exception that I explained.
Your bank uses passwords?
In my country banks have several security features aimed at making direct attacks impossible. One of them is avoiding passwords, and instead using sms-messages and special programs on the phone.
Ughh the British government websites email your passwords... awkward haha
Government websites are ludicrously far behind.
Imagine trusting the government
Same here in Italy 😅
Here in thailand it’s the safest system ever can’t even be hacked why? it doesn’t exist
@@ZaHandle ur mom
We visited a security company with a cryptography course I did in the summer holidays.
My favorite stories from there were a) the director of a company with "password" as a password and b) a company that managed to mess their hashing algorithm up in a way that hashes of passwords would be counted as the password
(they realized their mistake after someone got into that database and deleted all of their data - they didn't even have back ups of most of that)
0:02 Facebook was found to have passwords stored in plain text...
That's why I ran.
When?
When?
I don’t care 👍
Just search for "Facebook Plaintext Passwords".
The Hashing Process:
Take a coherent sentence → Smoke some hash → Your coherent sentence has been converted into indecipherable, illogical ramblings on the meaning of life and conspiracy theories.
WARNING: After hashing, you may feel an increased need to accept cookies.
I guess I'm always high - nobody can understand my incoherent rambling.
5 years later:
*facebook logged passwords*
*surprised pikachu face*
It's actually illegal to store passwords in plain text in many countries, namely France.
France is not many countries, but _one_ country. Instead of "namely" the use of "for instance" would have been more adequate.
@@lonestarr1490 you're wrong. In this case, "namely" and "for instance" are interchangeable.
@@kourii who said "namely" couldn't be used to refer to a single element in a group?
@@obiwac Umm nope, you're wrong. "Namely" and "for instance" are never interchangeable.
"More adequate" is also incorrect. 😕
@@sw_9_9_9 niggardly then?
Thank you for the simple explanation. I often tell others about this, but if they're not techies, their eyes glaze over at an over-complicated explanation. This one was short and sweet.
I mean, I'm coming from 5 years in the future, and Facebook has has dozens of scandals where their user's passwords were just saved as plain text.
your accent makes you smarter than you already are
remove "al" from already... and replace the "d" with "ll".... muahahaha
+Basel Kader really
True! Why is this guy not on TV? I've seen presenters who sound like they've been picked off the street!
Corvid don't talk about Jimmy Fallon like that!
He's already very smart, the accent just helps him to sound cool.
When I was signing up for University accommodation, I was blown away that the system emailed me my password in plain text just as a reminder a few days before moving in!
I hate when I have to reset my password because I forgot it, but then I go to reset it and it says that I cannot use an old password.
I've experienced that before, and the worst part is I had already tried logging in with my old password and it was incorrect
I reset my password once and it told me I couldn't change my password to my current password.
They actually log your old passwords hash.
This is not that bad.
Oh shit I think I've gotten my password via email before. This is retroactively terrifying. : O
+Alex Harris Sending passwords via email is terrifying in 2 ways:
1) what the video is about (they have to store it)
2) e-mail goes unencrypted over the public internet, and therefore is interceptable by almost anybody, way easier than cracking the database of the server.
(sorry for the reply to an old post, wanted to terrify you some more)
+Simon Peeters Emails are usually encrypted, but yeah, still not as secure as a hash.
tadej petric uhm, no, emails are usually unencrypted, your communication between your client and your mailserver might be encrypted, but the communication between mailservers on the net happens unencrypted.
So if I were to send an e-mail from my work e-mail to my gmail, it would go encrypted from my laptop to my employers server, then unencrypted to the google servers, and then encrypted back to me.
Simon Peeters Oh yeah, I was thinking sending to the same domain and all. I've heard that stuff like that is different, but never found anything concrete (and I was only thinking sending to the same mail provider, which, AFAIK doesn't really leave the mail servers unencrypted. Forgot completely about that thing). I'm not going to argue on that since you're probably right.
If you find any further read on that, please send me a link. I couldn't find anything relevant, but I've had troubles finding a good search term so you might have more luck here.
Edit: either way, most man in the middle attacks don't happen when traffic is being routed between major web servers (but rather between you and the ISP unless there's some DNS spoofing involved or something like that) so at least that's something.
+tadej petric The problem isn't the e-mail being unencrypted. The fact that they can e-mail you your password is a sign that they aren't storing it securely in the database. Take Adobe, for example. They were encrypting passwords but not hashing them. There was a direct relationship between the password length and the encrypted password length and there was no salt so everyone with the same password had the same encrypted password. It was easy then for hackers to even use things like the collective password hints to guess / crack the passwords. This is why it's scary. The security of the e-mail doesn't even come into it.
This guy is a gem.
“TH-cam doesn’t know your password...
...but Facebook does”
Awesome but how about this:
Facebook sometimes shows a message when you type in your password but you where off by a character:
“Your password is wrong but close, please try again” or somethig like that
clear cookies?
Well this is actually not that much of a problem (but still not something I am comfortable with), because facebook takes your input, if it doesn't work replace some characters you typically type in wrong (think of "I" instaad of "L") and try that again. If one of those matches, you get the message "it is close"
henlo fellow dasher
My password story usually goes like this:
Me trying to log in to a website or app
App: please re enter your password
Me: enters password
App: password incorrect please re enter password
Me: enters password (it's DEFINITELY this password)
App: password incorrect. Account locked. Please create new password
Me: enters password I have been attempting to use the whole time
App: password cannot be the same password used previously
Me: ARGHHH
Me: deletes app
This happens with me everytime
Come join us in the 21st Century. We have password managers. :)
"Thank you, 'forgot password option', for literally being my password."
-Jimmy Fallon
Thank You Notes, Late Night with Jimmy Fallon
i live in tiny holland.
no building here before 2000 was allowed to be higher then "de dom" which is a church from 1487 (or further back even) and is 151 meters high.
now i see the building on the background and i really realize just how puny and tiny our buildings are
tallest building in my city (Adelaide) is 130-140m tall
our skyline is really boring
I live in NYC. I don’t really care about our skyline.
I don't get it... What does it have to do with password encryption?
Mao177 everything
Assuming you are talking about De Dom in Utrecht... then something is wrong here. It was built between 1254 and 1517 (in fases). It is 112.32 m high. There are other buildings in The Netherlands higher than 112.32m:
- Delftse poort, 151m high, finished in 1991
- Rembrandttoren, 150m high, finished in 1994.
So... what are you talking about? :/
WOW! This was really enlightening. Thanks, Tom, for this small but crucual bit of information. P.S. I really like your videos. You explain everything in such an easy to understand way.
I'd really like to see more of these in a web series or something. Very basic information, dumbed down for non-technical users. I used to work for an ISP so this kind of information would have been awesome to have. "Why can't you just tell me my password for the Internet?" - "Well, because we have a system admin that actually knows about security. Let me change your password and then I'll send you an informational video, darling." God that would have been SO useful.
Your last few sentences were the most impacting ones, I think I learned quite a lot from this video, thanks Mr. Scott.
That feeling, when yours ISP sends you password for yours account
Important distinction between hashes and prime factors: with hashes there's information loss, which is why it's so hard to crack, because one essentially has to guess what information was lost. With prime factors we genuenly don't have the maths to make an efficient algorithm on classical computers to factorize numbers, there's no information loss, humans are just too stupid.
I sincerely love all your videos! You just have this wonderful, and soothing tone that sounds very BBC (if you get what I mean!)
Not only that, but the topics you cover end up grasping my attention for hours at end! Please keep it up! :3
This is probably the best explanation i have ever had for password encryption ever. I have had people try and explain it before but this way is so simple to understand
well it is technically not an encryption, and using actual encryption for password storage would be a BAD BAD idea, since encryption can be reversed, however yes it is a good explanation of the basics of secure password storage/password hashing
Damn Tom, back at it again with the red shirt!
i miss the days i would see a lot of recommendations from youtube about tom scott doing a video about something computer related
Oh man, I've been trying to teach people this for ages, and you made it so simple. Thank you!
Cool video (though I've seen the computerphile ones before and they quite helped me half a year ago when I got serious about back end dev!).
The preview looks AWESOME. Looking forward to it!
Fun fact: If you use Showbie in schools, not only does Showbie just store your password, teachers in the classes your in can see it if they press a reveal password button on your name... run
I still remember when I create an account for a website, and they emailed me my username AND password to say "Welcome to ..."
I never thought much about it because back then, I don't know ANYTHING about password, encryption, hashing, and I even use the same password for all of my accounts. But now, good god did they store my password in plain text
Interesting video, this is quickly becoming my favourite channel
I have actually been working on an encryption program myself, just for fun. It's using kinda the concept of prime numbers, but it also has to work in tandem with a unique 8 digit key, which is a secondary piece of information provided for the user. The algorithm changes based on what key you give it, so the database comparison only works if you have both parts.
I've recently been sent my username & password (together) in an e-mail from a web service. Other people have raised this as a potential security flaw, but the site owners appear to be in denial, saying that the security complies with all of the Government's recommendations (it's a service backed by an arm of UK Govt). I doubt it does.
Perhaps you should tell them to send the I'd and password on a postcard or the back of a sealed envelope through the post and see if they (and the government) think that is ok and not a security risk.
(Plaintext emails are akin to postcards- anyone (with sufficient privileges) on the servers through which they pass (plus packet snoopers) can read them.
I'm never going on that roller costar AGAIN!
Thanks for the multiply by 11 tip, didn't think about that
Thanks for bringing me here Dan!
Many sites will send you a temporary password that you have to change immediantly. So they can know your password... until you log in.
+Joel Reid they could, usually though they know the hash of that password stored in the database and email off the plain/text on submit. After that its the plain/text password is tossed, when you type the new temporary password in, a hash comparison is done like always and then they ask you to change it again.
This is also typically known as a reset token, its the same basic concept which allows you to be validated and authenticated to change your password. Usually for password resets you wont notice the token though, usually its embedded in the URL something like ?token=12301i24kjbh124ljhsdpfiuh28
I handle this by assigning a random token to a user's row in the db, and setting a flag like resetPassword = true. they click the link, software checks the token and checks if resetPassword=true, if it does then it asks for a new password. Temporary passwords work the same way theres just a manual intervention of the user having to type in the temp password.
+Joel Reid That's true, but that temporary password is salted in the same manner as the video said, so they really only know it from the email logs (ie. it's not stored in the database).
@@SolidRoot Which means, they have your password during that time
6:37
How Tom Scott Can Find Your Password Instantly
Tom Scott
375K views
I worked at a SaaS place that had passwords stored in plain text in the users table. It was a platform the company had acquired and was phasing out, but it was still a bit of shock. We had to convert some customers sooner than others since they were in a state that required more stringent security practices from vendors.
This was very entertaining! You just earned yourself a subscriber. :D
I died on a rollercoaster and know I'm here. Wow.
"things you [tube] might not know"
I've been a software engineer for years and definitely know how hashing data works. still watched through it and enjoyed it, and IDK why youtube recommended me this.
Just hit subscribe because your videos are awesome and turns out I'm you 200,000th subscriber ^.^
Me: Do you know if I typed my password correctly?
TH-cam: *Well yes, but actually no.*
Funny you should mention yahoo....
it's an old video mate. nobody knows back then
besides, if the users uses weak password like 12345678 or qwertyuiop (or any dictionary words), the password could be "easily" uessed using combination of Brute Force and Dictionary Attack
Ian Mustafa They knew, they just chose not to say anything for a while.
didn't Yahoo! use a hash system that had been broken for ages by then,and never upgraded to a secure one?
Tom thank you so much for this particular video, especially the ending as I'm sending it right now to a client of mine who is asking me why am I telling them to change their hosting provider after they recovered a password in a plain text email :))
Very educational video! In fact, all your videos are.
i just brought here by a guy who turns people into red mist using a rollercoaster
Twitter is the best TH-cam subbox
Develop
Nah man, gmail!
RSS, if you're smart.
Tordek Twitter is easier and you get pretty much the same result and you can even interact with the uploader
10/10 would tweet again
xato909 Simple. TH-cam's subbox is shit, therefore anything would be better, due to it's ease of use, the ability to get "instantly" the message that a new video is out, even before it's public (sharing the link to an unlisted video) and being able to interact with the uploader, Twitter gets my "8/8 m8" award for the best TH-cam subbox of the year.
Developed enough for ya?
The only, small bit of info, I think was lacking - was that the hashes made from passwords are (or rather should be) unique. So that ,not only reversing operation to get a password from hash is nearly impossible, but getting the same hash from 2 different passwords as well. Otherwise - nice, clean and easy to follow for anyone :)
Well explained as usual, Tom!
Its 2019 and I know a website I use regularly that stores my password in plain text. Its stupid this is still an issue in 2019.
Hi Scott great video love this type of content. I think something you missed explaining to the regular user, is that if someone steals that hash of your password it’s no good because when they put it through the same algorithm it won’t give a useful answer. A lot of people will not understand this without being told.
Love your videos mate.
I totally forgot I was on TYMNK and was awaiting the Computerphile ending. Damn you ***** and your omnipresence abilities...
Isn't it funny how dans comment sections are in other videos?
It would be nice if he would unblock them, seeing as the youtube comment section is truthfully much nicer than it used to be.
I'm here from a man who likes building murderous roller coasters.
RTGame?
Very informative video. Thanks!
I love these computer related videos!!
my password is red mist
I was very disturbed when Virgin Media sent me my password in plain text, IN THE MAIL. It boggles me how one of the UK's biggest ISPs is so lax on security.
You did the shortcut that I thought no one used!
You just answered my programming assignment.
I don't know my password either.
I'm a monster *unce* *unce unce* *unce*
i see what you did there :)
This was very USEFUL! :)
Informative video, thank you!
It's necessary to point out though, that if a company sends you a password, it usualy is a new randomly generated one.
+Jan Novák They shouldn't even be doing that, most e-mail is not secure. Passwords should always be generated by sending you to a web page on the site with time sensitive authorisation and allow you to type in your own password.
El Burrito That's why you're supposed to change the password as soon as you log in. Plus, I don't think it matters, if your email is compromised, whether you get a link to change the password, or send a newly created password.
2:20
Or quantum computers, or Molecular computers
+TheCrafting Criminals Never heard of a molecular computer. Quantum could theoretically break what we use currently but there are still ways around it.
your totally right since atoms can be in multiple states at once, but if you even look at them wrong they freak out
TheCrafting Criminals Its not atoms.
Noah Hounshel sry i meant photons or electrons
+TheCrafting Criminals hence billions of dollars.
I find this mildly comforting
Numberphile would love this.
Thanks for the video Tom.
But doesn't that open the possibility that a different password will be accepted instead of your real one if it hashes to the same code? Let's say your hashing algorithm is "number % 10", then if my password is 244, I could type in 384 and it would work.
+Najarala No
Let's MASSIVELY simplify it. If you multiply 2 by 5 is it possible to get 10 by multiplying any other number by 5? No.
+Najarala
Some operations are many-to-one. That is, different inputs can result in the same output, which is your concern.
However, the hashing/salting algorithms used for cryptography are always one-to-one operations, meaning that there is absolutely no way that two different inputs can result in the same output.
So what I said, but in a more complex manner.
*****
You gave an example, whereas I gave an explanation.
Don’t use abc as a password, kids
awesome job explaining. I have many users at work that should watch this.
Yay, finally another Tom video on Computerphile! Oh...
I was sent here by a man who failed to kill Hitler with a 95 positive G explosive rollercoaster.
That's wrong though. If you hash server side, you MUST, at least for a short time, store the password in plaintext on RAM. Also, most password hash algs aren't "hard" to do backwards, but absolutely mathematically impossible, simply due to overlap.
Most websites don't hash server side though. Usually, the client hashes the password, then sends the hash to the server to be stored; preventing a plaintext copy of the password from being intercepted during transmission.
Oliver: That is wrong and a really, really bad idea. If you create the hash+salt on the client side and send it to the server to be stored, it effectively becomes your password that you send and store as plaintext. Intercepting it would have the same effect as intercepting your original password. If the user database was leaked, anyone who saw the hash could log in to your account easily by modifying the login page code a bit or doing a manual HTTP query. You'd lose almost all the benefits of hashing.
Hashing isn't a sound way of securing your traffic. You should encrypt traffic properly with TLS.
Re-hashing the hashed password on the server side and storing that would prevent the plaintext problem, but it also adds the disadvantages that come with peppering. Suffice to say it's not good practice.
There's a whole slew of other problems with client-side hashing. Updating encryption algorithms would be tricky. I won't even go into the problems specific to browsers.
clever fella :) thank you for giving us a few quick tricks and some interesting facts ^_^ keep up the good work Tom :)
(seriously thought you were the lead actor off of spooks for a moment there :P )
have a good day today ^_^
This got me 5 marks in a computing test, thanks!
Or sites that set a limit like "password cannot be longer than 15 characters"
There's no reason to do that unless you want to save space and avoid errors surrounding plain text... So hopefully not the passwords!
“I’ll double your bitcoin you send 1000 I send 2000 back!” -Elon Musk, 2020
Mind blown. Awesome video.
I've never seen Tom inside an office before. He's always out in the wind in the videos I've seen.
damn, coming back and seeing tom with a mullet, now that's something
yay Tom Scott video !!
Nice view. One Canada Square, Canary Wharf, neat-o!
so interesting and very clearly explained!