Some people watching will have goodpasswords, some people will have thought about this before, some people should have thought aboutthis and haven't, and hopefully will after we talked about this a little bitmore.
Um, in the previous video I showed you cracking a password using pretty basictechniques, right? There are people who know more about this than me who run othercustom dictionaries and rule-sets and things, right? It's not really importantfor getting the message across of just how quick this is.
Picking a good passwordwas actually a lot easier than people make it.
XKCD alluded to this and we'll talk about thatin a minute.
It didn't necessarily answer every question but it did get a goodmessage across and then as other aspects should you reuse passwords and, and soon.
so let's address these.
Passwordcrackers and and people who research password security talk about somethingcalled password entropy, which is the amount of information held in a password, the idea being that if you're notholding much information in a password, it's going to be cracked very quickly becauseit's not a much search space to go through.
Now in someways I think that's a bit of an overcomplication I think practically you need to look attwo things.
You say, first of all, can it be brute-forced, right? In which case if the answer is is yourpassword shorter or equal to 8 characters, the answer is yes, right? If your password's ninecharacters and you're using symbols, you're probably ok, right? Fairlystraightforward, ok? As GPUs get faster, these barriers go down, and then you've got toask, “Is your password dictionary crackable?”, right? Those people in the lastvideo didn't think so, and then there I was cracking theirpasswords and they had quite good ones, some of them.
So you've got to do twothings: you've got to make sure your password is long enough and usesinteresting characters so it can't be brute forced, but beyond that you've got to makesure that you can't be dictionary attacked.
Let's get this out the way first; if yourpassword is “password”, you probably want to close out your browser right now andchange it and, you know, hang your head a little bit.
If there's any variation onthe word “password” or has any of the numbers “1 2 3 4” in order in it, you needto delete those passwords, maybe delete your account out of shame, right?Because, oh dear.
Ok, so I'm not addressing those, I'mdressing.
addressing, I guess, what what a better password will be.
Nowpassword systems in general are not a very useful way to authenticate, right? A lot ofpeople think this, ok? Because they're hard to remember, unless you pick an easy one to remember, in which case it's easy and not secure, alright? So, in some sense we've tried to find a way of authenticating ourselveswhich is hard for a human to remember, easy for a computer to guess, and peopledo it badly, right? There's lots of reasons why passwords are terrible.
Googlethinks passwords are going the way of the Dodo, because they're bringing in this newauthentication system where, you know, it tracks your movement in your pocket andthings like this.
Fine, maybe that will work, but in theback you're always going to have some kind of password, because you don't wantto be pulling your phone out of your pocket and Google saying, “you moved yourphone weirdly, so can you type in your PIN code”, right? You're gonna have to havesomething backing it up at all times.
For now, we're going to have passwords for awhile longer.
And so we have to think about what theyshould be.
So, obvious rules: 8 characters, 7 characters, not long enough, right? If you have an 8 characterpassword and you assume, just for a minute, that the website you're hostingit on is storing them in MD5, then I'm going to be trying passwords at forty billion hashes per second.
How long's it gonna take me to getthrough eight? Not that long, right? If I'm smart about my character sets, less thana day, a few hours probably.
So, let's talk about the better approachor the nearly perfect approach of XKCD and how can we improve even on that.
So XKCD suggested the situation where youhad a decent password, because it was hard to remember, because it was someword that you've got.
Is it “troubadour”? And you change a few letters around fornumbers, and you capitalize things and you stick in a symbol somewhere andthings, and his argument is that this isn't a good password because there'snot much entropy, because you're doing standard things that people do inpasswords, right? Now that's absolutely true in the sense that if you replace an'e' for a '3', everyone does that, that's number.
rule one on the list, ok? Don't think that'sclever because it's not.
lf you replace a 'z' for a '3', actually that'sstill not very good.
Let's pick a better one.
an 'o', ifyou replace an 'o' for a '3', that's slightly better, but someone's still probably goingto have written that rule, because why wouldn't they when it's so fast to try them out? Ok, soyou've got one option which is up which is a kind of hard word to rememberwith a bunch of weird to remember symbol exchanges, and then you've got anotherone, which is just four words appended together: correct horse battery staple.
Ok I think that's the order, right? Noweveryone knows that password which kinda means that password is not very good, but the point remains: if you pick, his argument is that if you pick four words and juststick them together, you have.
It's inherently un-brute-forceable, if that's averb, right? Because it's too long, even withall lowercase even without symbols and things, and it'snot really gonna come up in a dictionary much because those are weirdcombinations of words that aren't very often used, and it's four of them.
Ok, so how breakable are these twopasswords? Well, first of all, troubadour with all those exchanges probablyslightly harder than he suggests, because its entropy is not bad.
I think it's 11 characters and you knowthere's some exchanges there.
Not all of them are immediately obvious.
So it's not absolutely terrible andperhaps slightly better than many things but he's absolutely right but it's quitehard to remember and a bit of a pain, certainly a pain to type in.
“correcthorse battery staple”, much easier to remember, no funny characters to press, you get totype that quite quickly but the issue is that we don't brute force passwordsof that length, we dictionary attack them, right? So the question really comes down to, “is'correct horse battery staple' going to come up in a dictionary attack?”, and the answeris, “probably not”, but once we start thinking people are just appending fourwords together, maybe yes, ok? So instead of our passwordcracking being a brute force of the number of characters to the power of thelength of our password, it becomes the number of words we mightuse to the power of the number of words we are using, okay? So in this case, let's say the topten thousand words to the power of 4, okay? Which happens to be a very big number, so we're kind of safe.
But what if you only pick obvious words?”Staple”, I've checked, right? I've checked a list of about the top20, 000 english words; “staple” is somewhere around 12, 000, right? Which means that wedon't tend to use it very often, that makes sense.
“Horse” is much further upthe list so were “correct” and “batteries” further up the list as well.
I mean, we all have phones, we talk aboutbattery all the time.
So, if you hypothetically picked four words that werein the top five hundred, then suddenly the search base is 500 to the power 4 whichis much smaller and your bad password is crackable.
So, my advice to anyoneattempting a password system like this is to assume that the person attackingyou knows you're doing a password system like this and pick hard words, right? Abrand name or a word that isn't going to come up in a list of obviouswords that people use, ok? “staple” is not a bad word, the otherthree are not great.
So, you know, change it for something else, ok? Off the top of my head, uh.
“lemming” isprobably not a very common word we use, ok? Don't use it now, because I said it.
I've gota Rubik's Cube, here “rubik” is probably not, or “Rubik's” is probably not in the topten thousand english words, right? Which makes a search space much harder to use, ok? We're changing the problem around to bea question of can they guess the word you'll used not the structure of your password, ok? Soa really good password will be three english words, i would say, right? With oneword that's a bit out there Ok a bit odd; maybe it's a made-up wordor something, right? Because then you can't be brute forced because of the length, you can't be brute force because of a combination of easy dictionary words, right? And you don't need to put symbols in, because it's just too hard anyway.
Ok, that would be really strong.
If youwant to be even stronger than that then just stick an underscore right inthe middle of one of the words, just to really annoy everyone, right? Because ifyou stick it between words it's going to fit into a standard rule set of the sortof things people do with passwords, but if you put like an ampersand in themiddle of a word that shouldn't have an ampersand in it, like “horse”, “ho&rse” in the middle of”correct ho&rse battery staple”, it's just that much harder to crack.
Andthen, for you to be able crack that password, a lot of things have to goright for the attacker.
They have to know the four words you'regoing to use, in the right order, and they have to have tried that with the exactright rule set that put an ampersand in at that exact position.
And pick a word thatother people don't use very often, like your favorite band name or somethinglike that, ok? Because that way.
maybe not yourfavorite band name if you blog about them because then they can social engineerthe password, that's a different question.
This is what you do if you have to picka password, right? But what you should really be doing now is using a passwordmanager.
So, in some sense a password managerswaps you remembering a bunch of passwords for you hopefully rememberingone really good password, ok? So this is the kind of password policythat you go even further with and make that your master password.
So what a password manager does if it'swell programmed is encrypt a database of your passwords for all your different websitesand and and you know accounts and then you secure that with a master passwordof some description, right? And your master password has to be good and idon't mean, you know, “password password password” because no one's going to guessit's three times long, right? It needs to be of the level we were justtalking about.
And you also need to look into whatencryption the password manager uses, where's the decription done, it's notdone on the server, we need to make absolutely sure it's all local and thingslike this.
So look into it and see how they do their security.
I've looked into a lot of password managers.
They're all pretty good, you know, of the major players, right? They all use broadly similar schemes, they use very difficult to break hashes with lots ofiterations, which means that even if your passwords are released on the internetthey're in encrypted form and they can't be obtained.
So all my passwords are 16 characters oftotally random and I don't know what they are, right? So if my.
if my databasegets deleted i'm somewhat in a problem right? But, my master password is similar, I won't give away too many too muchinformation on what exactly it is it, right? But my master password is in a similar veinto what we were discussing just now and I believe is essentially uncrackable at, you know, currently.
But i can type it in quite fast, because I've done it a lot.
It's long enough and i can remember it, which is good, and i only have toremember one which makes it that much easier.
So now, when you log on to a websiteand it says, “register for this website” again, and I'm only going to use it for five minutes, what am I going to do? I'll justmake it my standard password that I use every time.
Instead of doing that, youthen go to your password manager and generate random 16 characters and it'swin-win because then, if you never use the website again, it doesn't matter anyway, becauseyou've got.
you've got a random password.
And if someone, if that website is a bitdubious and they release your password later in a hack, it doesn't matterbecause it's random, right? And that brings us on to last point:never ever reuse passwords, ever.
I fallen to this before, someone triedto log into my Facebook once with a password that got leaked, someone tried to log into my Skype with apassword that got leaked, and that was my fault in a sense, because I used to usethe same password a number of times before I knew what I was doing, right? This is a few years ago.
Now, I know you have to have different passwords.
That way, if a password gets leaked down to the internet and hopefully it's randomanyway, from your password manager then we're in business, right? You change thatpassword, and you're secure again.
If your master password for your.
for yourdatabase is weak, then they are going to hack it, and then if they get in they getall your passwords.
So, obviously that has to be really really strong.
Last Password's been hacked a couple of times, butthis encryption is so strong that if your if your master password is strong it'sfine.
Which is a bit Cavalier thing to say, butit's actually true because of how many iterations they use.