An excellent poem there at the start: "Some people watching will have good passwords, Some people will have thought about this before, Some people should have thought about this and haven't, And hopefully will, after we talk about this, a little bit more"
All this talk about passwords always reminds me of this scene in Harry Potter and the Prisoner of Azkaban (the book at least, not sure if it made it into the movie): In the story, the students have to say a password to get into their dormitory. Because of heightened security, they change the password so often that one of the students with rather poor memory (Neville) ends up writing down the whole list of passwords on a piece of paper. That list ends up getting stolen, defeating the entire purpose of the heightened security.
No, but that's actually why you *don't* want to force people to change their passwords too frequently. The more frequently you have to change your password, the more likely you are to make insecure ones, to the point that people can sometimes even guess your current password given a list of your previous ones. So frequent password changes actually lead to exactly the sort of security issue that let Sirius break into Gryffindor Tower
It's all fine and dandy until you have to use a website that either: a) forces you to use uppercase, numbers, symbols, runes, smoke signals... or b) limits you password to something like 12-16 characters
my Banks Online Banking takes the cake here, they use CONSECUTIVE numbers for the username and exactly 6 Numbers as the password. You CANNOT change the Username and you must use a 6 Number Password
Yea, I would change banks as well. Not only is a 6 charachter set to small, you claim its only a 6 number set. You dont even need one titan to crack that. an 8800 GTX could do it in under a second.
Stackexchange uses a scheme where the 10000 most common passwords are simply disallowed. Otherwise it simply has to be long enough (I think >8 symbols) That seems pretty sensible to me.
I´ve had multiple sites/servises tell me my password is too long, and even had one telling me I couldn´t use special characters. How am I supposed to have a safe password when you don´t let me damnit.
if the account isnt too important make the password jfjfuenx;3*7bckflDam#,3:#ebuxBDUgrjrb&{¥¡cjDNdu47`¥ejbxkif and put it in a txt in a pendrive or somewhere in your documents. if you can go stronger by lenght go stronger by user a more dificult charset
+Laharl Krichevskoy Did you miss the part where he said "I´ve had multiple sites/servises tell me my password is too long, and even had one telling me I couldn´t use special characters. "? Also, please please please don't put passwords in text files. If you're going to use super-strong random passwords, use a password manager.
I'd be interested to hear Mike talk about workplace password resets. Lots of places I've worked require employees to reset their passwords every month, and some have onerous requirements for length and symbol usage. I think that rather than improving security, it encourages people to make passwords easy to guess (since they expect to forget), or worse, actually write their passwords down and stick them to the computer.
@@MrBibo2050 yeah, know that you know his scheme it's a piece of cake, you just need to guess which 4 of the thousands of languages out there he used (it might include fictional languages like Eldar, Dorthraki or Klingon), narrows it down to just ~4^(10^7) or so possible passwords..
How about using more than one language in the password? For example, horsecaballocapallceffyl is just horse in English, Spanish, Irish and Welsh - unless the hacker tries dictionary attacking you with multiple languages at once (which would surely increase the search space to the point of absurdity), that should be safe, still only requires you to remember four words, and most people know at least some words from a foreign language.
That sounds alright at first glance, until you realize the search space is actually quite low because you still used a common English word as the base component. Say, the dictionary is a top 1000 of English words with european translations. Assuming that horse is in there, your password is going to be in there. I'd say that, to actually benefit from multiple languages, do use a set of different words, in the different languages.
You know that this is already so much more unlikely then getting struck by a lightning and eaten by rabid squirrels afterwards that this argument is somewhat ridicoulous? In Fact getting attacked by rabid squirrels has happend way more often then successfull attacks based on md5 collisions. Just google it.
To emphasise the point made around 4:17 , just for fun, I tried typing in "correct horse battery staple" into the password strength checker for my Google account. It was considered strong up until I finished typing the last word, at which case it dropped to medium, so he's absolutely right that XKCD's password is not a good choice, just like any other password everyone knows.
1. 4:59 He addressed that: "(You can add a few more bits to account for the fact that this is only one of a few common formats.)" 2. 5:42 The comic assumed the top 2048 words. You can tell based on the bits of entropy in the illustration. One thing I think would be great to mention here is diceware. A nice system for choosing passwords that makes it easy for you to generate memorable passwords with any level of entropy you desire. I use around 100 bits of entropy for my low security master password, and ~120 bits for my high security master password.
"Oops! Your password is too long!" "Oops! You need to include a number, a symbol, and an upper and lowercase letter" "Oops, that character is not supported!"
I think this presentation is brilliant. I have one small point to make when it comes to random websites that require you to make an account. If the website is not going to be storing sensitive information, then surely just using a week password to circumvent this annoying requirement of having to create an account is not much of an issue.
Love these videos. Great presentation Dr. Mike! On the subject of choosing passwords, I've ran across something odd myself. A password is something you use over and over again. I've used it as a psychological tool. My password is a positive affirmation of a couple short sentences. If you are going to type it over and over again, then why not? I feel that I perceive a difference in myself just because I changed the password I type constantly. Also cracking full sentence passwords might be hard :)
My favorite stuff is the "Secret Question" stuff that pops up when I forget my password or when I need to answer a "shield" question. I give wrong, easy to remember answers to the questions about what my first car was, where I went to Elementary school, etc. If I get to make up my own question, then it's REALLY fun.
And if you use phonetic substitution (a common example in English would be to replace "for" with "4") in the middle of one of your words, use one of those other languages. (The main reason I don't use more words from my north-Norwegian dialect than I do is that a lot of them need letters that require a Norwegian or possibly Danish keyboard to write, which is a problem if I ever need to write them on a different keyboard.)
Use your dialect, if you have any Use your dialect in phonetic, if you can Use your dialect in phonetic and add symbols if you like But in the end, don't use it everywhere, cause a single cracked database screws you over everywhere else.
I've gotten permanently locked out of accounts using non-7bit characters. In a few cases it looked like I damaged their database or something given how the site behaved when trying to login or reset the password. This is gradually less of an issue over time but at least once upon a time a lot of sites appeared to use hand-rolled systems that didn't sanitize input.
I got a lot more canny about passwords a few years ago, and have adopted a common scheme for them. I thought this would mean I could remember them all much more easily and still be secure. But the really irritating thing is that whatever rules I choose, there always seems to be one web site that will moan about my choice of characters. Some of them even tell me I can't use a password because it is too LONG. WTF? Are they even hashing it?? Have to wonder. It would be nice if there were an RFC or some kind of standard that all sites followed: then we could all use a scheme and be sure that it would be acceptable in most places.
This is why you use password managers of some sort. Dude are trying to account for something others did not care about. Stop it, you know depending on the site password restructions are horrible to none at all. Find some way to secure your passwords and use it. Notice that most places that get hacked do not tell you what hash they used. Which means the hash is not even a 256 bit hash. Which means it is probably SHA-1 or MD5 with low ittrations. Or worse no ittrations.
From the video you're commenting on: "password systems in general are not a very useful way to authenticate, because they're hard to remember, unless you pick an easy one to remember, in which case it's easy, and not secure. So in some sense we've tried to find a way of authenticating ourselves which is hard for a human to remember, easy for a computer to guess, and people do it badly. "
He nailed about putting a random underscore in a word. Pass phrases that use random characters inside words are fairly easy to remember and very hard to crack.
One more point - is there conclusive research on how useful/counterproductive the "change your password every 6 months" policy is? (Especially if the new password can't resemble any of the old ones.)
I, too, would like to know this. In particular, assuming I do use a password manager, do I have to change my master password every n months? If so, what is n?
Depends on how paranoid you are. The reason you would want to change a password every n months is to make sure if you password is compromised, that the time period in which an attack has access to your accounts is limited. Not sure how realistic that is anymore--most hackers are going to get what they want quickly. I use LastPass and change my master password every year at the beginning of January. This lets me create a strong password that I can commit to memory, while avoiding some of the issues that come about if you never change passwords (like temptation to reuse passwords, etc).
When the financial firm where I worked started this policy, we found that most of the users started writing their password on their desk blotters, bottom of their keyboards, etc because they could never remember it themselves.
Paul Drake Main reason why forcing regular Password changes decrease Security. Forcing the regular change is probably bad 99% of the time if sample size of people is bigger than 6 (means: If you have a group of +6 people and force them to regularly change their password, you gonna have a bad day [sooner or later]).
If you're multilingual, perhaps use a combination of words from the languages you speak. For instance, to crack a password that's a combination of Norwegian, English and German words (or any subset of the three), you would need to search a pretty big search space in order to find whichever one I might have chosen.
A great easy to remember/ hard to crack password I’ve heard is take a song lyric or quote, then use only the first letter of each word in it- For example, “unwritten” Staring- At The Blank Page Before You, Open Up The Dirty Window Reaching- For Something In The Distance So Close You Can Almost Taste It Feel The Rain On Your Skin becomes “satbpbyoutdwrfsitdscycatiftroys” Throw in a few symbols at The pauses in the song for extra security and good luck finding that in a dictionary attack. (You’ll probably want to use a more obscure song, just to be safe)
But that’s easier to crack if you know that’s what the person is doing. Given a few thousand songs, the number of possible passwords is far more limited than if you randomly arranged some words
@@richkitten9539 I do something similar but use random lines i.e. not consecutive line from one song/poem but separate lines from different songs/poems or quotes, and also mix up which letter I use, so sometimes 1st letter of word, other times last letter, or even both the first and last. Then using symbols in memorable locations.
@@richkitten9539 dont tell peopel then xD. "A great easy to remember/ hard to crack password I’ve heard is take a song lyric or quote, then use only the first letter of each word in it-" nobody will ever guess that unless they read this coment thread
Having to spend a minute trying to sing back a song to yourself in your head while paying attention to which letter each word starts with does NOT count as easy to remember
That video was very good, I learned a lot. Another approach for coming up with safe passwords is generating a bunch of random passwords and modify them so you can find some meaning and remember it easier.
It'd be interesting to hear his opinion on mixing languages. Let's say you have a 3 word password, you seperate them with spcial characters and then the first word is english, the second is japanese for example and the third one swedish. Would that break these rainbow lists of hashes?
For cases where you cannot use a password manager (ex. the password for the password manager) I have found a sentence mnemonic to be capable of generating easy to remember (even when seldom used) passwords that as far as I know are fairly tough to break. Obviously they need to be long enough, especially considering that the character set is somewhat restricted and certainly biased, but they are much better than what many people use for cases where a manager is just not an option. example: PW = Wyu#THHymc23 Mnemonic = (W)hen (y)ou (u)se Hashtag(#) (T)he (H)oly (H)and-grenade (y)ou (m)ust (c)ount to(2) three(3) The PW is dictionary proof, and while not truly random has high enough entropy that I imagine it is reasonably safe from brute force. Certainly their are weaknesses in such a password. It is not random. However you can easily remember very long passwords that contain mixed case, numbers and symbols without any English words. Thus providing reasonable security when you cannot use a password manager.
You could pick at least 6 different words, all words being longer than 6 characters each, preferably uncommonly used words, and use words from 2 to 4 different languages (English, French, German, Spanish) while ensuring that words you use don't show up in multiple languages.(If they are going to use a dictionary attack, better give them more dictionaries to look through) Also if you wish, you could misspell one or more of those words in a memorable way. You would need to throw in at least 1 symbol and a capital letter somewhere to make most websites happy but the rest of the password would stand on its own. I would not pick "rubiks" or "lemmings" as both of these things are well known in geek culture. Nor would I choose to use brand names as a list of common brand names could easily be created. My guess is if you ask 100 people to list 20 different brand names off the top of their head there would be quite a bit of overlap. (I think people from a similar locality would have closer matching lists but country wide there would still be a lot of overlap.)
M. de k. lol yeah like that (although ideally you wouldn't want to share that with thousands of people on the youtube comments) The best part is when people look over at your login and see: ********************************************************************************************* , they think your some kind of super genius demigod.(I have gotten several interesting comments in person. More people look over your shoulder than you would think.) So yeah, there are some benefits of being paranoid.
The real problem is that many sites REQUIRE you to use several symbols, capital letters and numbers. It's annoying, because it means all my passwords are hard to remember. Sure, I can sprinkle one or maybe two special characters in there but more than that and it becomes even harder to remember.
Doesn't this just make it quicker to brute force too? The attackers knows that they can skip over anything that doesn't meet the published requirements. Yes, the inclusions of symbols make the search space larger, but the exclusion of passwords NOT containing them make it smaller again...
Security through obscurity isn't terrible, but it's also not reliable. Sure, hacking into Bill Gates' online banking service would be great, but if you can set up a distributed attack that gets online banking details for a thousand people, you can probably get more money before anyone catches on that something's wrong, and you can pick off the thousand people with the weakest passwords rather than having to crack strong ones. Also, posting something like that on a video about password strength is like daring someone to crack your password - it massively reduces the obscurity you're relying on for your security...
You are right but the limits mentioned in the video I think are in case someone has access to the hard drive. Besides most sites and especially banks block login attempts after a few tries.
Worth mentioning that it's very unlikely someone will actually get their password database (through keepass or whatever) compromised unless Dropbox (or similar) drops the ball, or an attacker is on your PC. If an attacker is on your PC they can do a lot of things instead of nicking a keepass file and hoping you have something valuable
8 лет назад+4
I used XKCD to make an even stronger policy for myself. 4 words of 4 different languages. Example höstjääpalochampionshipmira höst is Swedish for autumn jääpalo is Finnish for the sport bandy mira is Russian for world. my hook to the password is that in the autumn there is a world cup/championship for club teams in bandy. I don't use this particular password, but I think it would be very very hard to crack if I did (and hadn't used it as an example)!
People argue that using a password manager is putting all eggs in one basket, but you can mitigate that by using multiple databases with different keys. The alternatives are always worse, unless your memory is phenomenal and you can remember 100 different complex passwords. Another way is to have some sort of algorithm to generate passwords for different things (which is essentially your own private hashing method), but it can also fail, if some input data changes (e.g. a website URL, name etc). Password manager is easy to use, reasonably secure and has manageable risks. It's the way to go for most people who care about these things.
_Never_ reuse a password? I use the same username/password combo for… well, probably hundreds of sites by now, but only for sites I don't care about. It's actually been leaked already, but idgaf. What you gonna do? Steal my account with 0 posts on a random forum that required registration to display URLs I stumbled upon while Googling something a couple years ago? Knock yourself out! I consider those accounts stolen and I'm completely fine with that. Now emails, online banking, social media… that's a different story.
Keep in mind that impersonating you is a thing. I've had to scramble to inform friends and family their shared passwords were a problem because I received links to viruses from accounts they had, but had forgotten.
logicalfundy Impersonating me? The whole point is that I'm nobody on these accounts. No contacts, no posts, no personal information (I even use a separate email account for these registrations to avoid spam on my real account). Impersonate me all you want, but there's nothing in it for you.
Guaulden I do like 10minutemail, but a separate email is actually easier and more reliable. 1. If the site is slow and the registration email takes longer than 10 minutes to arrive you don't have to remember to extend it every 10 minutes (and be forced to star over if you forget). 2. Many sites block 10minutemail and other similar services. 3. Maybe one day you will actually need to receive an email from one of those sites again.
But don't be a popular public figure with a shitty phone company. In that case use cheap GSM phone with a prepaid SIM card that's not linked to your name in any way.
The problem is not to 2FA, the problem is that SMS is not a secure 2FA. It is really easy for attackers to social engineer employees at cell companies into essentially allowing them to clone your SIM card so that they receive all your texts. Now your 2FA is compromised. And this is not just an issue for public figures... if you work somewhere that handles sensitive information you can be targeted for this kind of attack in order to get your work credentials. I've seen it a surprising amount for people working in tech. Always use a proper authenticator app for 2FA, never use SMS! Some sites (like Google) allow using SMS as a backup for 2FA -- this is a bad idea! Make sure to always disable SMS 2FA or SMS account recovery, it is not at all secure and often is easier than actually cracking your password if the payoff is right (which could be a consequence of your employer, even if you personally don't have a lot of money or anything).
How about this method: you pick a simple password you like of any length, then you open online hashing website and make say md5 hex characters string from it with no spaces, lowercase. Then you simply use that md5 as you register on some website. Then when you need to log in, you just do this again - open any online md5 calculator, enter your simple password and get the hash string, then paste it to a password field in a login page. Simple and no password manager needed. If you want make it more secure - use sha256 or some rare online hasher like say shark or something.. You might simply use CRC64 online calculator, however in this case you have to make sure this is a correct type of CRC. You might also use only first say 10 characters of that md5, or md5 without last say 5 characters, or hash twice md5-md5 or combined md5-sha1 or md5-base64 for example.
the solution to that is to string together four physical locks - physical locks can easily be broken, but if you have enough of them, the attacker will get bored and go home : D
A physical paper. Where you did not make the password cryptic is insanely foolish. You do not write down the password. You give yourself hints. Like in password recovery options and the like. Some people do do that. Writing down your actual passwords is something you should 'never' do for the long term. Store your passwords in some sort of encrypted file system.
The biggest problem with password restrictions. Is that many websites and services are fairly lazy. If you set the limit to one trillion characters. With a full character sets. I assure you. You can have secure passwords because most people can not remember trillions of 'random' characters. However, if you use a series of phrases. Not only can your password be long and complicated. It would also be strong enough to remember. Strong enough to resist brute force and dictionary attacks. Passwords are hard for me to do at work because I am restricted to what the passwords can be. Same thing when using some websites or services.
I probably shouldn't be saying this, but I want a bunch of computerphiles to dissect my system but here goes: I use a sentence in a book I like that has numbers or words that look like numbers. Take the first letter of each word, capitalize nouns, and replace numerical words. The passwords tend to be long because the sentences are distinct. Let me know if I'm a buffoon or a genius
yeey! I use a manager for a quite some time now. All my passwords are also 25 random characters (with some superior Ansi characters, like Ų#ҹ) and I don't know what they are :D! One day my friend asked me to log into my FB acc on his computer. I just said I couldn't. And I wasn't lying to him!
Keep the program and file on an encrypted flash drive. It's what I do when I need to login to something. Also, I have two different files. One for stuff I rarely login to and one that I carry because I know I'll need it day to day. Which password manager do you use?
if you're using KeePass (like i am) you should keep a copy of your DB on your flash drive. If you trust it keep a copy on DropBox and then connect to it via the KeePass Android App and you can have access to your password via phone.
Password manager: Putting all your eggs in one safe Password reuse: putting all your eggs in one safe and giving a key to the safe to everyone in your neighborhood Weak passwords: putting your eggs in a wicker basket that could fall apart at any minute
The cruel irony of this video is the best passwords are the ones no one knows, and the best method for choosing a password is the one no one has told anyone else.
I was about to say it... I know some long words from two foreign languages (not including my native tongue, English, and the language I studied until B2).
The fact you mentioned this makes it a tactical that someone could use to crack it. Passwords must be as long as possible and random lEtTeRs and $ymb0|s
@@norb3695 Yes. I meant my password has all things you need. Upper and lowercase letters, numbers, symbols, and spaces. Thank you for not being surface level. Like everyone else on this site.
6:18 a great way to pick "hard words" is for polyglots by using transliterations from words in other languages. Even better if the language doesn't use the latin or related alphabet system. For e.g. i can say "correctkudhiraibatterystaple" "kudhirai" is possible transliteration of the tamil word for horse, more to the point because tamil uses phonetic writing system there's a few ways you can write that in latin alphabet, in fact googling the word gives me the spelling of "kutirai". This would be nearly impossible to dictionary attack in some cases at least. This then comes down to social attack vectors, "does the person who is guessing your password know that it's yours and know about you enough", but even that's easily defeatable, he hinted at this a bit but you can make up words, or use words in languages you don't use often (e.g. being canadian i know a few french words but not french itself so sticking a random french word in there would be completely unexpected).
Choose two random words, convert their letters to numbers using a=1 b=2 c=3 etc... add them together then convert it back into letters. PIG+CAT would end up being 4817 or dhq or dhag. Semi-random letters that wouldn't be hard to remember, and of course you'd choose words that mean something to you and maybe you could throw the numbers back into it, so you could have dhq4817 or 4d81hq7 to make smaller words a little more secure.
You can also use different keyboard layouts. For example "rkdnl" doesn't look like a word but in standard Korean keyboard layout, it spells "가위" which means scissors. I can use this and some random English word to make something like "rksuitdnltea" and it is very hard to crack, but easy to remember.
So here's how I figured out my password. On old Nokias 3310 there were games like Snake and Space Impact. I used to play alot of Space Impact and tried to challenge my highscore quite lot of times. Once I've scored a highscore I never ever beaten again. In highscore options you had a code for your highscore (can't quite remember why though) and that highscore was combination of 8 character long random letters and numbers. Since this highscore was so important to me you're damn sure I've remembered that highscore's code and it's my password.
I use a system where I have a base password, then I append something to the end, unique for each website I have an account with. It's easy to remember, but should also be secure against both brute-forcing and dictionary attacks. It also protects me from having all my accounts breached due to one single breach in one account. I don't use a password manager, either -- I don't need one because of the system I use.
If they only allow a small password then assume that they have bad overall security and that there is a higher chance that a password leak might happen.
Topstormking this is actually the first time i heard they only allowing small passwords. EDIT: just tested with a 16 length password with special characters etc and it worked fine.
The funniest thing was when I constantly had to remake a password for a site because I couldn't log in with it, and discovered that the site only saved say 10 characters. When I tried to log in with my 12 character password it wouldn't take it unless I removed the last two. No warning "your password is too long" when you created it or anything whatsoever. It just didn't save it, and didn't stop you if you tried to log in with a password that was too long.
learn german and use only ONE word :D some LONG german words: Grundstücksverkehrsgenehmigungszuständigkeitsübertragungsverordnung or maybe Verkehrswegeplanungsbeschleunigungsgesetz, or Unternehmenssteuerfortentwicklungsgesetz. you also could combine this three words xD
That could be cracked by using a dictionary of the 1000 longest german words (or 1000 long common words in general). Reversing or other tricks will not increase entropy much and will make it even harder for you to remember or make a mistake in typing.
How about welsh? upload.wikimedia.org/wikipedia/commons/e/e8/Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch_station_sign_(cropped_version_1).jpg
If something ever happens to that drawer (e.g. gets on fire, or some1 gets the key), you're fucked. I prefer to keep my passwords in a Locked Note (the Apple app), so even if my house burns down, I can still get my passwords back from iCloud.
@Saeed Baig And what if your PC (or Flashdrive, ..), gets set on fire (or someone steals it - they may need longer to crack it, though they may reach that point, and having your PC stolen is not only bad because of your Passwords or Data in general)? Same thing applies here, I would say. Additionally, what is easier to "carry" (in a Fire scenario); your PC (which I assume most people would have their PW on if they use a PW-Manager) or a sheet of Paper? I would think the latter - though ofcourse it depends. Both have their pros and cons naturally, and none is 100% safe - and never will be. Whatever suits your boat in the end. I just prefer to write them down physically. (and writing them down, wherever you chose now, _can_ increase the chance to remember them easier aswell, depending on the PW ofcourse - I can atleast remember almost all of my Passwords I ever used, however "strong" they may be - differs from person to person though, I have to say)
@@saeedbaig4249 I do the exact same thing. My passwords are usually about 20-25 characters long, consisting of uppercase, lowercase, numbers and several special characters. They're too complicated to remember, so I keep them in a locked note in the Notes app. If my MacBook gets stolen I can still access the locked note from my iPhone. If only my iPhone gets stolen I can still access it from my MacBook. If both of them get stolen I can still access the locked note from iCloud.
Great video! Would love one on the implications that will arise with the advent of quantum computing, particularly with respect to current encryption models and what will be needed in the future.
As a small side project while i was learning c# i made something in wpf that does the same thing as a password manager, I use three root words and the sites name press enter and it produces a garbled mess of a string i then use as a password, i then paste that in the form/loginbox, besides just having been a fun thing to get working (Z+4=space) i don't have any worries about server or local, or keyloggers since i don't actually ever type the password. If you want to make the "four random words" even more secure, type two of them backwards.
My bank limits the length of ones password to I think 8 characters and force you to use a "special character" which they limit you to like . , ? and ! for choices. So my imgur password can be much stronger than my bank password essentially.
Many such cases. I created a password generator that hashes a long, beautiful sequence of unrelated unicode characters from whater two keys I punch in. There were letters. There were numbers. There were musical notes. Works for most websites. Not for banks. Or Google websites.
This would work on mobile phones that have emoji readily typeable from the keyboard. However, the website/software must accept strange characters, which often isn't the case. Great idea, though! Better use a strange character using an ALT+[four numbers] code. An alternative is changing to a different keyboard layout (e.g. Dvorak), but still typing on your regular (e.g. QWERTY) layout. This last trick is not practical, though, and easily programmable to convert any dictionary from QWERTY to Dvorak.
I have used several different passwords over the years, and they get more and more complex. I tend to remember which password to use with a site by when I created my account there. Currently I have two I commonly use, both are 16 random characters.
Password Manager + 2FA = best security I can think of. Even they get your master password, they can't do much unless they also have your 2FA device. I personally use LastPass with sesame, and google authenticator as a backup. On top of that I also have 2FA for alot of my specific accounts such as my google account, facebook, amazon, etc. so even if they SOMEHOW get through my LastPass and have all of my other accounts, they still need my phone to get into those accounts.
What if you use a very long phrase and make it into an acronym? "The quick brown fox jumped over the lazy dog" becomes tqbfjotld, which isn't a real word in any language, and then you add numbers, symbols, etc
May I suggest a variation? Take a Chinese, Japanese, or Korean phrase, translate it, and make an abbreviation the same length as the original. For example, 개마고원 ("Gaema Gowon", translating to Gaema Plateau) would become gmpt.
It's a common enough practice that (depending on your source text) I'd avoid the first letters. For example, I would not be surprised if a number of hacker dictionaries actually contain tqbfjotld specifically, but they probably don't contain eknxdreyg (last letters same phrase) or the string you'd get by doing that to the second verse of the theme song from your favorite sitcom.
if you are going to add numbers, symbols, ect, why not add them to "The quick brown fox jumped over the lazy dog"? bro^wn isn't a real word in any language either, meaning a basic dictionary search is useless, and the phrase is almost 5 times longer, and easier to remember.
I do something pretty similar, but I try to use phrases with punctuation. Eg: The dagger soliloquy from Shakespeare's Macbeth: Is this a dagger I see before me, its handle towards my hand? Come, let me clutch thee. It has capitals, lower case, and punctuation: ItadIsbm,ihtmh?C,lmct. Memorable (well, obviously, you need to choose one *you* can remember. Dunno why that piece of Shakespeare stuck with me since high-school...) never gonna come out of a dictionary, and there are so many movies, books and songs out there, you're not likely to see collisions.
I swapped to password manager the same day after watching this video, to be honest. :D Anyway, another cool idea, following the rules discussed in this video: if english is your second language - mix the words in english and your mother tongue. Now hackers would have to use two times bigger dictionary (english and your mother tongue), stick a random symbol in one of the words and hackers can kiss your password goodbye until quantum computer era comes.
My hard drive encryption key is the chorus of a song, with one character representing each word (not necessarily the first letter, but fairly easy to remember, like using - instead of "less" for example). It's a song that no one would necessarily believe that I've even heard of. It's hard to resist to urge to whistle the tune while typing my password :)
@Tristan Ridley the bank won't let someone do more than 3 or 4 failed login attempt in a short period of time, they will ban the IP and maybe block the account temporally, so even if your password is like 4 chars long they won't guess it. banks could still be hacked (very unlikely) and attackers will be able to do the offline cracking, the thing is if that happens the bank will immediately suspend all the accounts and attackers won't be able to steal money
@@tomyman Hashes can leak without the bank even knowing at first, and since literally all of those passwords would be cracked within hours, they might realize only too late.
So I don't know how easy it is to do over the internet, but when I was in high school, I found a program that would just rip your stored passwords from every browser installed on the computer, and it could do it in about half a second. This tells me it's probably not secure at all
Ha, that XKCD comic is EXACTLY what I was thinking of when I clicked on the link to this video. Once upon a time, I think I even used "correct horse battery staple" as part (not the whole thing. I'm not that crazy) of a password. I'll be darned if I can actually remember where I used it. Welp, guess I'll be resetting that one if it's not stored in my password manager!
Dr Mike Pound is my favorite presenter on computerphile.
he _pounds_ the information on us.
He is one of them, Professor Brailsford however is my favorite. Steve furber was also amazing when he was on.
Gotta love Rob Miles too (and Tom Scott of course)
Malonomy Tom Scott isnt really a presenter as he doesnt work at the university
I'm in love with him
An excellent poem there at the start:
"Some people watching will have good passwords,
Some people will have thought about this before,
Some people should have thought about this and haven't,
And hopefully will, after we talk about this, a little bit more"
69 likes
jord99 That was amazing.
Truly was. I will paint that onto my wall or tattoo it somewhere
3 years later...
I don't know half of you half as well as I should like;
and I like less than half of you half as well as you deserve.
wah
"Make a password with words people don't usually use."
*changes password to "Nickelbackisagoodband"*
Hahahahhahaha
Hazzardworks *logs into your user*
Appleisnotoverpriced
Chris McKenzie Nintendoswitchesarenowinstock
TrumpIsLikeReallySmart
All this talk about passwords always reminds me of this scene in Harry Potter and the Prisoner of Azkaban (the book at least, not sure if it made it into the movie): In the story, the students have to say a password to get into their dormitory. Because of heightened security, they change the password so often that one of the students with rather poor memory (Neville) ends up writing down the whole list of passwords on a piece of paper. That list ends up getting stolen, defeating the entire purpose of the heightened security.
It would ronelove
No, but that's actually why you *don't* want to force people to change their passwords too frequently. The more frequently you have to change your password, the more likely you are to make insecure ones, to the point that people can sometimes even guess your current password given a list of your previous ones. So frequent password changes actually lead to exactly the sort of security issue that let Sirius break into Gryffindor Tower
ok?
"Computerphile - Making you uncomfortable towards your life choices since 20XX"
??
It's all fine and dandy until you have to use a website that either:
a) forces you to use uppercase, numbers, symbols, runes, smoke signals...
or
b) limits you password to something like 12-16 characters
my Banks Online Banking takes the cake here, they use CONSECUTIVE numbers for the username and exactly 6 Numbers as the password. You CANNOT change the Username and you must use a 6 Number Password
In my experience banks are the ones with the worst online security of all companies.
That's what password managers are for.
I'd change banks
Yea, I would change banks as well. Not only is a 6 charachter set to small, you claim its only a 6 number set. You dont even need one titan to crack that. an 8800 GTX could do it in under a second.
4 years ago, watching this video made me realize I had a bad password system and I switched to using a password manager. Thanks computerphile
and here you are after 4 years
now they're gonna use the least likely 10,000 words in the dictionary great going mike
Why? most words like that will be words 0.001% of the population even know. things like Nudiustertian.
its a joke.
or just 10.000-20.000 :P
Stackexchange uses a scheme where the 10000 most common passwords are simply disallowed. Otherwise it simply has to be long enough (I think >8 symbols) That seems pretty sensible to me.
never go too common or too uncommon. because they are guaranteed to be on list.
Guys, post your passwords, lets see who's is best!
RUclips automatically conceals passwords in the comment section. See, here's my paypal password:
*****************
**********
Omg, it really does! That is so cool!
does it really?
password123
tRoLOloLOloLOl1234
bigtittybuttboob14
"Pick a word that other people don't use very often, like your favorite band name." lol
??
I´ve had multiple sites/servises tell me my password is too long, and even had one telling me I couldn´t use special characters. How am I supposed to have a safe password when you don´t let me damnit.
if the account isnt too important make the password jfjfuenx;3*7bckflDam#,3:#ebuxBDUgrjrb&{¥¡cjDNdu47`¥ejbxkif and put it in a txt in a pendrive or somewhere in your documents. if you can go stronger by lenght go stronger by user a more dificult charset
If those sites are doing that part wrong, they've probably got other security holes, too. :/
That would require me to switch banks entirely :/
+Laharl Krichevskoy Did you miss the part where he said "I´ve had multiple sites/servises tell me my password is too long, and even had one telling me I couldn´t use special characters. "?
Also, please please please don't put passwords in text files. If you're going to use super-strong random passwords, use a password manager.
When it is a one off site that i probably won't visit again i just write heyhey, maybe adding a capital letter or a number if needed.
I'd be interested to hear Mike talk about workplace password resets. Lots of places I've worked require employees to reset their passwords every month, and some have onerous requirements for length and symbol usage. I think that rather than improving security, it encourages people to make passwords easy to guess (since they expect to forget), or worse, actually write their passwords down and stick them to the computer.
false.
as a person that speaks 4 languages I changed my password to 4 words in 4 languages
//Rule successfully added to dictionary for user: [elave16]
@@MrBibo2050 yeah, know that you know his scheme it's a piece of cake, you just need to guess which 4 of the thousands of languages out there he used (it might include fictional languages like Eldar, Dorthraki or Klingon), narrows it down to just ~4^(10^7) or so possible passwords..
That's what I thought, use as many languages as you can, but not English or your first language.
@@pmj_studio4065 dont use any languange. I mean just dont use meaningful words
Yo_savais_你_would
2 more of these vids, and we'll socially engineer his master password boys!
??
"Maybe delete your account out of shame"
*proceeds to face palm*
Straight savage
false.
How about using more than one language in the password? For example, horsecaballocapallceffyl is just horse in English, Spanish, Irish and Welsh - unless the hacker tries dictionary attacking you with multiple languages at once (which would surely increase the search space to the point of absurdity), that should be safe, still only requires you to remember four words, and most people know at least some words from a foreign language.
what about not even making them the same word but in different languages, just slip in a japanese word or a portugese word or whatever, as one of them
My example was only the same word because I was lazy and didn't feel like putting multiple words through google translate ;).
+Parker8752 gotta throw In a _ mid letters and they shouldn't have a chance of getting it :D
passwordunodeuxsthree incoming...
That sounds alright at first glance, until you realize the search space is actually quite low because you still used a common English word as the base component. Say, the dictionary is a top 1000 of English words with european translations. Assuming that horse is in there, your password is going to be in there.
I'd say that, to actually benefit from multiple languages, do use a set of different words, in the different languages.
Always when I type a password it gets replaced with * or •, and that's so easy to crack! They really need to fix this!
Thats hiding the password dumbass
r/whoosh
@@tuneboyz5634 THATS THE JOKE
@@tuneboyz5634 Yeah but they're hiding the password with a single character, that can't be secure
@@tuneboyz5634 r/woosh
it would be something if your 128 character uber password gets a hash collision with the password "password"
Which is why using MD5 is very much no longer the recommended hashing method.
You know that this is already so much more unlikely then getting struck by a lightning and eaten by rabid squirrels afterwards that this argument is somewhat ridicoulous? In Fact getting attacked by rabid squirrels has happend way more often then successfull attacks based on md5 collisions. Just google it.
any scientific proof of that or just your holy book?
edit:
apparently the post this was meant to answer was deleted, so we got our answer.
Come on now, person who mixed up username and password when making your RUclips account, that's clearly not an argument of any sort. It's a joke.
nice password there.
To emphasise the point made around 4:17 , just for fun, I tried typing in "correct horse battery staple" into the password strength checker for my Google account. It was considered strong up until I finished typing the last word, at which case it dropped to medium, so he's absolutely right that XKCD's password is not a good choice, just like any other password everyone knows.
I always make my passwords 'incorrect'. So whenever i forget my password it will say 'your password is incorrect'
*slow clap*
This fried my slow clap processor.
I make my password "*******" so they think its encrypted
it_twit - Redstoner&Mapmaker Now that is a joke I can bear because I haven't seen it chewed up and spat out hundreds of times before.
My password is : bythetimeyouhaveguessedmyrealylongpasswordiwillhavestileyourbagel
1. 4:59 He addressed that: "(You can add a few more bits to account for the fact that this is only one of a few common formats.)"
2. 5:42 The comic assumed the top 2048 words. You can tell based on the bits of entropy in the illustration.
One thing I think would be great to mention here is diceware. A nice system for choosing passwords that makes it easy for you to generate memorable passwords with any level of entropy you desire. I use around 100 bits of entropy for my low security master password, and ~120 bits for my high security master password.
I just use the entire lyrics of bohemian rhapsody as my password. It makes every login attempt a rock concert.
No time for losers
Me: uses the lyrics of Never Gonna Give You Up as my password, therefore rickrolling anyone who tries to login to my account.
ok?
"Oops! Your password is too long!"
"Oops! You need to include a number, a symbol, and an upper and lowercase letter"
"Oops, that character is not supported!"
@@reallyappreciateyourhelplu9928 verb please
That's the worst. That's why I put those rules in the notes section of that site's entry.
??
I think this presentation is brilliant. I have one small point to make when it comes to random websites that require you to make an account. If the website is not going to be storing sensitive information, then surely just using a week password to circumvent this annoying requirement of having to create an account is not much of an issue.
Love these videos. Great presentation Dr. Mike!
On the subject of choosing passwords, I've ran across something odd myself. A password is something you use over and over again. I've used it as a psychological tool. My password is a positive affirmation of a couple short sentences. If you are going to type it over and over again, then why not?
I feel that I perceive a difference in myself just because I changed the password I type constantly. Also cracking full sentence passwords might be hard :)
My favorite stuff is the "Secret Question" stuff that pops up when I forget my password or when I need to answer a "shield" question. I give wrong, easy to remember answers to the questions about what my first car was, where I went to Elementary school, etc. If I get to make up my own question, then it's REALLY fun.
I recently started to use my generator for the security questions but I don't get asked them as much by sites as I used to.
More tips:
- Mix different languages
- Use phonetic spelling instead of the dictionary version
And if you use phonetic substitution (a common example in English would be to replace "for" with "4") in the middle of one of your words, use one of those other languages.
(The main reason I don't use more words from my north-Norwegian dialect than I do is that a lot of them need letters that require a Norwegian or possibly Danish keyboard to write, which is a problem if I ever need to write them on a different keyboard.)
Another tip is to legit put spaces into your password. Means a brute force attempt will never work, or so I have been told
You can’t mix languages in Some websites
Use your dialect, if you have any
Use your dialect in phonetic, if you can
Use your dialect in phonetic and add symbols if you like
But in the end, don't use it everywhere, cause a single cracked database screws you over everywhere else.
I've gotten permanently locked out of accounts using non-7bit characters. In a few cases it looked like I damaged their database or something given how the site behaved when trying to login or reset the password. This is gradually less of an issue over time but at least once upon a time a lot of sites appeared to use hand-rolled systems that didn't sanitize input.
I got a lot more canny about passwords a few years ago, and have adopted a common scheme for them. I thought this would mean I could remember them all much more easily and still be secure. But the really irritating thing is that whatever rules I choose, there always seems to be one web site that will moan about my choice of characters. Some of them even tell me I can't use a password because it is too LONG. WTF? Are they even hashing it?? Have to wonder. It would be nice if there were an RFC or some kind of standard that all sites followed: then we could all use a scheme and be sure that it would be acceptable in most places.
This is why you use password managers of some sort. Dude are trying to account for something others did not care about. Stop it, you know depending on the site password restructions are horrible to none at all. Find some way to secure your passwords and use it.
Notice that most places that get hacked do not tell you what hash they used. Which means the hash is not even a 256 bit hash. Which means it is probably SHA-1 or MD5 with low ittrations. Or worse no ittrations.
From the video you're commenting on: "password systems in general are not a very useful way to authenticate, because they're hard to remember, unless you pick an easy one to remember, in which case it's easy, and not secure. So in some sense we've tried to find a way of authenticating ourselves which is hard for a human to remember, easy for a computer to guess, and people do it badly. "
@@franspigel9281 I generally agree, though I do think there *are* ways to make passwords easy(ish) to remember and also hard to crack :)
@@macronencer passphrases are the future
ok?
Finally! someone who points out the issues with the XKCD system.
He nailed about putting a random underscore in a word.
Pass phrases that use random characters inside words are fairly easy to remember and very hard to crack.
What about foreign words? Would people run dictionaries for all ~94 generally used languages?
And what about extinct/dormant languages like, for example, some of the Sami languages or Livonian?
Robin Williams Just a quick view at your Google+ page and I would say those three languages are English, Spanish and maybe Genoese/Italian.
agun17 Nice try! :-) One out of three ain't bad, as Meatloaf didn't say ;-)
Robin Williams I'd add german just because it's so popular on the internet and pop culture.
+agun17 Actually I've been asked if I'm German an unusual amount of times over the years
One more point - is there conclusive research on how useful/counterproductive the "change your password every 6 months" policy is? (Especially if the new password can't resemble any of the old ones.)
I, too, would like to know this. In particular, assuming I do use a password manager, do I have to change my master password every n months? If so, what is n?
Depends on how paranoid you are. The reason you would want to change a password every n months is to make sure if you password is compromised, that the time period in which an attack has access to your accounts is limited. Not sure how realistic that is anymore--most hackers are going to get what they want quickly.
I use LastPass and change my master password every year at the beginning of January. This lets me create a strong password that I can commit to memory, while avoiding some of the issues that come about if you never change passwords (like temptation to reuse passwords, etc).
When the financial firm where I worked started this policy, we found that most of the users started writing their password on their desk blotters, bottom of their keyboards, etc because they could never remember it themselves.
I wish there were. I certainly know that all it does is force me to use simpler passwords.
Paul Drake
Main reason why forcing regular Password changes decrease Security. Forcing the regular change is probably bad 99% of the time if sample size of people is bigger than 6 (means: If you have a group of +6 people and force them to regularly change their password, you gonna have a bad day [sooner or later]).
If you're multilingual, perhaps use a combination of words from the languages you speak. For instance, to crack a password that's a combination of Norwegian, English and German words (or any subset of the three), you would need to search a pretty big search space in order to find whichever one I might have chosen.
A great easy to remember/ hard to crack password I’ve heard is take a song lyric or quote, then use only the first letter of each word in it-
For example, “unwritten”
Staring- At The Blank Page Before You,
Open Up The Dirty Window
Reaching- For Something In The Distance
So Close You Can Almost Taste It
Feel The Rain On Your Skin
becomes “satbpbyoutdwrfsitdscycatiftroys”
Throw in a few symbols at The pauses in the song for extra security and good luck finding that in a dictionary attack.
(You’ll probably want to use a more obscure song, just to be safe)
But that’s easier to crack if you know that’s what the person is doing. Given a few thousand songs, the number of possible passwords is far more limited than if you randomly arranged some words
@@richkitten9539 I do something similar but use random lines i.e. not consecutive line from one song/poem but separate lines from different songs/poems or quotes, and also mix up which letter I use, so sometimes 1st letter of word, other times last letter, or even both the first and last. Then using symbols in memorable locations.
@@richkitten9539 dont tell peopel then xD. "A great easy to remember/ hard to crack password I’ve heard is take a song lyric or quote, then use only the first letter of each word in it-" nobody will ever guess that unless they read this coment thread
@@desudesu8695 Nwegtutrtt
Having to spend a minute trying to sing back a song to yourself in your head while paying attention to which letter each word starts with does NOT count as easy to remember
That video was very good, I learned a lot.
Another approach for coming up with safe passwords is generating a bunch of random passwords and modify them so you can find some meaning and remember it easier.
It'd be interesting to hear his opinion on mixing languages. Let's say you have a 3 word password, you seperate them with spcial characters and then the first word is english, the second is japanese for example and the third one swedish. Would that break these rainbow lists of hashes?
For cases where you cannot use a password manager (ex. the password for the password manager) I have found a sentence mnemonic to be capable of generating easy to remember (even when seldom used) passwords that as far as I know are fairly tough to break. Obviously they need to be long enough, especially considering that the character set is somewhat restricted and certainly biased, but they are much better than what many people use for cases where a manager is just not an option.
example:
PW = Wyu#THHymc23
Mnemonic = (W)hen (y)ou (u)se Hashtag(#) (T)he (H)oly (H)and-grenade (y)ou (m)ust (c)ount to(2) three(3)
The PW is dictionary proof, and while not truly random has high enough entropy that I imagine it is reasonably safe from brute force.
Certainly their are weaknesses in such a password. It is not random. However you can easily remember very long passwords that contain mixed case, numbers and symbols without any English words. Thus providing reasonable security when you cannot use a password manager.
"Make a password with words people don't usually use."
Changes my password to "brain"
Password cracking groups watching this video, furiously scribbling notes about giving low-frequency words a higher precedence
I love that people think making a password different is just putting the name of the site on the same password they use everywhere.
You could pick at least 6 different words, all words being longer than 6 characters each, preferably uncommonly used words, and use words from 2 to 4 different languages (English, French, German, Spanish) while ensuring that words you use don't show up in multiple languages.(If they are going to use a dictionary attack, better give them more dictionaries to look through) Also if you wish, you could misspell one or more of those words in a memorable way. You would need to throw in at least 1 symbol and a capital letter somewhere to make most websites happy but the rest of the password would stand on its own.
I would not pick "rubiks" or "lemmings" as both of these things are well known in geek culture. Nor would I choose to use brand names as a list of common brand names could easily be created. My guess is if you ask 100 people to list 20 different brand names off the top of their head there would be quite a bit of overlap. (I think people from a similar locality would have closer matching lists but country wide there would still be a lot of overlap.)
are you joking? now you've gone off the opposite extreme.
Oh shut up. You can be paranoid all you want, but don't advise others to be too.
+SuperAWaC Not that extreme in my opinion. If you speak multiple languages why not include them in your password?
M. de k. lol yeah like that (although ideally you wouldn't want to share that with thousands of people on the youtube comments)
The best part is when people look over at your login and see: ********************************************************************************************* , they think your some kind of super genius demigod.(I have gotten several interesting comments in person. More people look over your shoulder than you would think.) So yeah, there are some benefits of being paranoid.
Just go straight to Navajo language
The real problem is that many sites REQUIRE you to use several symbols, capital letters and numbers. It's annoying, because it means all my passwords are hard to remember. Sure, I can sprinkle one or maybe two special characters in there but more than that and it becomes even harder to remember.
Special characters are difficult to type on foreign keyboards.
Doesn't this just make it quicker to brute force too? The attackers knows that they can skip over anything that doesn't meet the published requirements. Yes, the inclusions of symbols make the search space larger, but the exclusion of passwords NOT containing them make it smaller again...
No they're not. What special characters you can type varies per keyboard type, but there's always a few, like @, ', _, %, §, etc.
M. de k. Let's not, because it can now publicly be found on the internet.
. . . which is why you should do what he explained at the end of the video: Use a password manager.
great effort on spreading password and IT security awareness!
I never thought I would find a Computerphile video from the Avast website
been using one of these managers, dad got me into it, but this video convinced me to change the master
I'll just hope nobody cares enough about me to even try.
The cost to try is so low, they don't need to care about you, or even know you exist, it automated!
Security through obscurity isn't terrible, but it's also not reliable. Sure, hacking into Bill Gates' online banking service would be great, but if you can set up a distributed attack that gets online banking details for a thousand people, you can probably get more money before anyone catches on that something's wrong, and you can pick off the thousand people with the weakest passwords rather than having to crack strong ones.
Also, posting something like that on a video about password strength is like daring someone to crack your password - it massively reduces the obscurity you're relying on for your security...
that should be your password
+Sam Lenz but now everybody knows it 😯
You are right but the limits mentioned in the video I think are in case someone has access to the hard drive. Besides most sites and especially banks block login attempts after a few tries.
Worth mentioning that it's very unlikely someone will actually get their password database (through keepass or whatever) compromised unless Dropbox (or similar) drops the ball, or an attacker is on your PC. If an attacker is on your PC they can do a lot of things instead of nicking a keepass file and hoping you have something valuable
I used XKCD to make an even stronger policy for myself. 4 words of 4 different languages. Example höstjääpalochampionshipmira
höst is Swedish for autumn
jääpalo is Finnish for the sport bandy
mira is Russian for world.
my hook to the password is that in the autumn there is a world cup/championship for club teams in bandy.
I don't use this particular password, but I think it would be very very hard to crack if I did (and hadn't used it as an example)!
it's mir (мир), not mira js
@@user-dt4sh9tm2g at russian bandy federation, world cup in bandy is Кубок мира .
People argue that using a password manager is putting all eggs in one basket, but you can mitigate that by using multiple databases with different keys. The alternatives are always worse, unless your memory is phenomenal and you can remember 100 different complex passwords. Another way is to have some sort of algorithm to generate passwords for different things (which is essentially your own private hashing method), but it can also fail, if some input data changes (e.g. a website URL, name etc).
Password manager is easy to use, reasonably secure and has manageable risks. It's the way to go for most people who care about these things.
"You moving your phone out of your pocket, and Google saying you moved your phone weirdly"
I have been laughing to this for 5 minutes.
_Never_ reuse a password?
I use the same username/password combo for… well, probably hundreds of sites by now, but only for sites I don't care about. It's actually been leaked already, but idgaf. What you gonna do? Steal my account with 0 posts on a random forum that required registration to display URLs I stumbled upon while Googling something a couple years ago? Knock yourself out! I consider those accounts stolen and I'm completely fine with that.
Now emails, online banking, social media… that's a different story.
Keep in mind that impersonating you is a thing. I've had to scramble to inform friends and family their shared passwords were a problem because I received links to viruses from accounts they had, but had forgotten.
logicalfundy Impersonating me? The whole point is that I'm nobody on these accounts. No contacts, no posts, no personal information (I even use a separate email account for these registrations to avoid spam on my real account). Impersonate me all you want, but there's nothing in it for you.
And a separate username?
Actually you could just use 10minutemail, then you wouldn't need to have a separete mail for things like that.
Guaulden I do like 10minutemail, but a separate email is actually easier and more reliable.
1. If the site is slow and the registration email takes longer than 10 minutes to arrive you don't have to remember to extend it every 10 minutes (and be forced to star over if you forget).
2. Many sites block 10minutemail and other similar services.
3. Maybe one day you will actually need to receive an email from one of those sites again.
Also, use 2-step verification on important accounts like your email.
But don't be a popular public figure with a shitty phone company. In that case use cheap GSM phone with a prepaid SIM card that's not linked to your name in any way.
The problem is not to 2FA, the problem is that SMS is not a secure 2FA. It is really easy for attackers to social engineer employees at cell companies into essentially allowing them to clone your SIM card so that they receive all your texts. Now your 2FA is compromised. And this is not just an issue for public figures... if you work somewhere that handles sensitive information you can be targeted for this kind of attack in order to get your work credentials. I've seen it a surprising amount for people working in tech.
Always use a proper authenticator app for 2FA, never use SMS! Some sites (like Google) allow using SMS as a backup for 2FA -- this is a bad idea! Make sure to always disable SMS 2FA or SMS account recovery, it is not at all secure and often is easier than actually cracking your password if the payoff is right (which could be a consequence of your employer, even if you personally don't have a lot of money or anything).
??
Is c0/\/\pu73rp4i|e ok to use for youtube?
Yes
Not anymore
Damnit, how'd you know?
That wouldn't work for me, it's my mom's maiden name :-/
awww see what u did there :3
How about this method: you pick a simple password you like of any length, then you open online hashing website and make say md5 hex characters string from it with no spaces, lowercase. Then you simply use that md5 as you register on some website. Then when you need to log in, you just do this again - open any online md5 calculator, enter your simple password and get the hash string, then paste it to a password field in a login page. Simple and no password manager needed. If you want make it more secure - use sha256 or some rare online hasher like say shark or something.. You might simply use CRC64 online calculator, however in this case you have to make sure this is a correct type of CRC. You might also use only first say 10 characters of that md5, or md5 without last say 5 characters, or hash twice md5-md5 or combined md5-sha1 or md5-base64 for example.
I think you should convert/hash it locally.
I love steam, they don't have any restriction other than the character one. Nice video, changed my password everywhere now :)
You should have mentioned the XKCD about the 5$ wrench.
the solution to that is to string together four physical locks - physical locks can easily be broken, but if you have enough of them, the attacker will get bored and go home : D
Phil Hibbs i
@@davidtiganila27 the wrench is used on the person suspected of knowing the password (or their loved ones)
false.
what if my database is sheet of paper can they hack it ?
Matouš Hrdlička yes
A physical paper. Where you did not make the password cryptic is insanely foolish. You do not write down the password. You give yourself hints. Like in password recovery options and the like. Some people do do that. Writing down your actual passwords is something you should 'never' do for the long term.
Store your passwords in some sort of encrypted file system.
Encrypt it
He’s
??
Yesterday I had to create a new password on a library website. It forced me to pick one with the length 6 or less.
I mean really?
The biggest problem with password restrictions. Is that many websites and services are fairly lazy.
If you set the limit to one trillion characters. With a full character sets. I assure you. You can have secure passwords because most people can not remember trillions of 'random' characters. However, if you use a series of phrases. Not only can your password be long and complicated. It would also be strong enough to remember. Strong enough to resist brute force and dictionary attacks.
Passwords are hard for me to do at work because I am restricted to what the passwords can be. Same thing when using some websites or services.
I probably shouldn't be saying this, but I want a bunch of computerphiles to dissect my system but here goes:
I use a sentence in a book I like that has numbers or words that look like numbers. Take the first letter of each word, capitalize nouns, and replace numerical words. The passwords tend to be long because the sentences are distinct.
Let me know if I'm a buffoon or a genius
I had to change all my passwords after watching this
yeey! I use a manager for a quite some time now. All my passwords are also 25 random characters (with some superior Ansi characters, like Ų#ҹ) and I don't know what they are :D! One day my friend asked me to log into my FB acc on his computer. I just said I couldn't. And I wasn't lying to him!
Definitely in my top 10 funniest stories of 2016
Keep the program and file on an encrypted flash drive. It's what I do when I need to login to something. Also, I have two different files. One for stuff I rarely login to and one that I carry because I know I'll need it day to day. Which password manager do you use?
what manager is that?
I use Keepass
if you're using KeePass (like i am) you should keep a copy of your DB on your flash drive. If you trust it keep a copy on DropBox and then connect to it via the KeePass Android App and you can have access to your password via phone.
Password manager: Literally putting all your eggs in one basket.
but its one very strong basket
Password manager: Putting all your eggs in one safe
Password reuse: putting all your eggs in one safe and giving a key to the safe to everyone in your neighborhood
Weak passwords: putting your eggs in a wicker basket that could fall apart at any minute
Literally literally.
+catfish552 - This is a virtual world - literally.
:)
I perfer to put my passwords in no baskets just let them float around in my hard rive and interne tI don't care.
The cruel irony of this video is the best passwords are the ones no one knows, and the best method for choosing a password is the one no one has told anyone else.
Alternatively, make your password a full, sizable-yet-memorable sentence, much like this one.
How about using words in another language, or every word in a different language?
That is an interesting point. How long would it take to find a password written in four different obscure languages
I was about to say it... I know some long words from two foreign languages (not including my native tongue, English, and the language I studied until B2).
If you speak multiple languages, combine them!
Unless you know the languages well, then this kind of password just becomes difficult to remember and not really any more secure.
The fact you mentioned this makes it a tactical that someone could use to crack it. Passwords must be as long as possible and random lEtTeRs and $ymb0|s
"Never ever reuse your password, ever"
Me: I Always everytime reuse my password, everytime.
♫♪Ludwig van Beethoven♪♫ Never ever Reise your password ever is my password
He means at other sites.
ok?
My password is pretty damn clever. Sadly I can never share it with anyone.
*FeelsBadMan*
Thats only 3 words super crackable all in the top 300 words and just because you used damn doesnt make it better
@@kellynolen498 That's not their password xD
I know i'm late
ok?
@@norb3695 Yes. I meant my password has all things you need. Upper and lowercase letters, numbers, symbols, and spaces. Thank you for not being surface level. Like everyone else on this site.
6:18 a great way to pick "hard words" is for polyglots by using transliterations from words in other languages. Even better if the language doesn't use the latin or related alphabet system. For e.g. i can say "correctkudhiraibatterystaple" "kudhirai" is possible transliteration of the tamil word for horse, more to the point because tamil uses phonetic writing system there's a few ways you can write that in latin alphabet, in fact googling the word gives me the spelling of "kutirai". This would be nearly impossible to dictionary attack in some cases at least. This then comes down to social attack vectors, "does the person who is guessing your password know that it's yours and know about you enough", but even that's easily defeatable, he hinted at this a bit but you can make up words, or use words in languages you don't use often (e.g. being canadian i know a few french words but not french itself so sticking a random french word in there would be completely unexpected).
Mathematically it would be stronger to just add one more English word than worrying about multiple languages.
Choose two random words, convert their letters to numbers using a=1 b=2 c=3 etc... add them together then convert it back into letters. PIG+CAT would end up being 4817 or dhq or dhag. Semi-random letters that wouldn't be hard to remember, and of course you'd choose words that mean something to you and maybe you could throw the numbers back into it, so you could have dhq4817 or 4d81hq7 to make smaller words a little more secure.
Pick some book.
Write down a sentence.
Insert some underscores and miss some spaces.
Done.
??
“ *Stylistically* speaking, Java is my favourite programming language.”
CSS: Am i a joke to you?
You can also use conlangs, if you're nerdy enough. Nobody expects the Klingon Inquisition.
This needs to be a class taught in every high school.
You can also use different keyboard layouts. For example "rkdnl" doesn't look like a word but in standard Korean keyboard layout, it spells "가위" which means scissors. I can use this and some random English word to make something like "rksuitdnltea" and it is very hard to crack, but easy to remember.
Can you recommend a great password manager?
Streamingmadman lastpass
KeePass or Password Safe.
Also: mix languages and include typos.
except most sites will force you to have 6--12 char long password with symbols and numbers in it - you know... so it's safe....
So here's how I figured out my password. On old Nokias 3310 there were games like Snake and Space Impact. I used to play alot of Space Impact and tried to challenge my highscore quite lot of times. Once I've scored a highscore I never ever beaten again. In highscore options you had a code for your highscore (can't quite remember why though) and that highscore was combination of 8 character long random letters and numbers. Since this highscore was so important to me you're damn sure I've remembered that highscore's code and it's my password.
I use a system where I have a base password, then I append something to the end, unique for each website I have an account with. It's easy to remember, but should also be secure against both brute-forcing and dictionary attacks. It also protects me from having all my accounts breached due to one single breach in one account. I don't use a password manager, either -- I don't need one because of the system I use.
problem with some place where they only allow a small password length :( sad panda
you mean _that_ sad panda?
If they only allow a small password then assume that they have bad overall security and that there is a higher chance that a password leak might happen.
Topstormking
this is actually the first time i heard they only allowing small passwords.
EDIT: just tested with a 16 length password with special characters etc and it worked fine.
use only the first N letters of the random password where N is the maximum allowed letters in a password
The funniest thing was when I constantly had to remake a password for a site because I couldn't log in with it, and discovered that the site only saved say 10 characters. When I tried to log in with my 12 character password it wouldn't take it unless I removed the last two.
No warning "your password is too long" when you created it or anything whatsoever. It just didn't save it, and didn't stop you if you tried to log in with a password that was too long.
learn german and use only ONE word :D
some LONG german words: Grundstücksverkehrsgenehmigungszuständigkeitsübertragungsverordnung
or maybe Verkehrswegeplanungsbeschleunigungsgesetz, or Unternehmenssteuerfortentwicklungsgesetz. you also could combine this three words xD
It'd be more secure to reverse one of them.
+John Michaelson but would be incredibly hard to remember
That could be cracked by using a dictionary of the 1000 longest german words (or 1000 long common words in general). Reversing or other tricks will not increase entropy much and will make it even harder for you to remember or make a mistake in typing.
How about welsh?
upload.wikimedia.org/wikipedia/commons/e/e8/Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch_station_sign_(cropped_version_1).jpg
lol, not bad. we should mix them up ;D
So, how about keeping my passwords in a notebook in a drawer which is always locked?
George Cobalt I thought abhor that too
If something ever happens to that drawer (e.g. gets on fire, or some1 gets the key), you're fucked.
I prefer to keep my passwords in a Locked Note (the Apple app), so even if my house burns down, I can still get my passwords back from iCloud.
cuz we all know how secure iCloud has been
@Saeed Baig
And what if your PC (or Flashdrive, ..), gets set on fire (or someone steals it - they may need longer to crack it, though they may reach that point, and having your PC stolen is not only bad because of your Passwords or Data in general)? Same thing applies here, I would say.
Additionally, what is easier to "carry" (in a Fire scenario); your PC (which I assume most people would have their PW on if they use a PW-Manager) or a sheet of Paper? I would think the latter - though ofcourse it depends. Both have their pros and cons naturally, and none is 100% safe - and never will be.
Whatever suits your boat in the end. I just prefer to write them down physically. (and writing them down, wherever you chose now, _can_ increase the chance to remember them easier aswell, depending on the PW ofcourse - I can atleast remember almost all of my Passwords I ever used, however "strong" they may be - differs from person to person though, I have to say)
@@saeedbaig4249 I do the exact same thing. My passwords are usually about 20-25 characters long, consisting of uppercase, lowercase, numbers and several special characters. They're too complicated to remember, so I keep them in a locked note in the Notes app. If my MacBook gets stolen I can still access the locked note from my iPhone. If only my iPhone gets stolen I can still access it from my MacBook. If both of them get stolen I can still access the locked note from iCloud.
Great video! Would love one on the implications that will arise with the advent of quantum computing, particularly with respect to current encryption models and what will be needed in the future.
As a small side project while i was learning c# i made something in wpf that does the same thing as a password manager, I use three root words and the sites name press enter and it produces a garbled mess of a string i then use as a password, i then paste that in the form/loginbox, besides just having been a fun thing to get working (Z+4=space) i don't have any worries about server or local, or keyloggers since i don't actually ever type the password.
If you want to make the "four random words" even more secure, type two of them backwards.
Deliberate misspelled words could help
My bank limits the length of ones password to I think 8 characters and force you to use a "special character" which they limit you to like . , ? and ! for choices.
So my imgur password can be much stronger than my bank password essentially.
Many such cases.
I created a password generator that hashes a long, beautiful sequence of unrelated unicode characters from whater two keys I punch in. There were letters. There were numbers. There were musical notes.
Works for most websites. Not for banks. Or Google websites.
ok?
@@Triantalex Why are you here?
How about making an emoji password?
That would be the weirdest thing to crack.
GamerGate Edin True. I might try it in Google though.
You can't use those characters in passwords
Doctor Jew Very disappointing.
This would work on mobile phones that have emoji readily typeable from the keyboard. However, the website/software must accept strange characters, which often isn't the case. Great idea, though! Better use a strange character using an ALT+[four numbers] code. An alternative is changing to a different keyboard layout (e.g. Dvorak), but still typing on your regular (e.g. QWERTY) layout. This last trick is not practical, though, and easily programmable to convert any dictionary from QWERTY to Dvorak.
We should get Tom Scott to make an Emoji only password manager.
I have used several different passwords over the years, and they get more and more complex. I tend to remember which password to use with a site by when I created my account there. Currently I have two I commonly use, both are 16 random characters.
Password Manager + 2FA = best security I can think of. Even they get your master password, they can't do much unless they also have your 2FA device. I personally use LastPass with sesame, and google authenticator as a backup. On top of that I also have 2FA for alot of my specific accounts such as my google account, facebook, amazon, etc. so even if they SOMEHOW get through my LastPass and have all of my other accounts, they still need my phone to get into those accounts.
What if you use a very long phrase and make it into an acronym? "The quick brown fox jumped over the lazy dog" becomes tqbfjotld, which isn't a real word in any language, and then you add numbers, symbols, etc
That's what I do if a website forces me to make security questions.
May I suggest a variation?
Take a Chinese, Japanese, or Korean phrase, translate it, and make an abbreviation the same length as the original. For example, 개마고원 ("Gaema Gowon", translating to Gaema Plateau) would become gmpt.
It's a common enough practice that (depending on your source text) I'd avoid the first letters. For example, I would not be surprised if a number of hacker dictionaries actually contain tqbfjotld specifically, but they probably don't contain eknxdreyg (last letters same phrase) or the string you'd get by doing that to the second verse of the theme song from your favorite sitcom.
if you are going to add numbers, symbols, ect, why not add them to "The quick brown fox jumped over the lazy dog"? bro^wn isn't a real word in any language either, meaning a basic dictionary search is useless, and the phrase is almost 5 times longer, and easier to remember.
I do something pretty similar, but I try to use phrases with punctuation. Eg: The dagger soliloquy from Shakespeare's Macbeth:
Is this a dagger I see before me, its handle towards my hand?
Come, let me clutch thee.
It has capitals, lower case, and punctuation: ItadIsbm,ihtmh?C,lmct.
Memorable (well, obviously, you need to choose one *you* can remember. Dunno why that piece of Shakespeare stuck with me since high-school...) never gonna come out of a dictionary, and there are so many movies, books and songs out there, you're not likely to see collisions.
"unbruteforceable"
Brilliant word. Should be in every dictionary.
It's probably in his password
My password is *********.
Too short
*****
Oh, would **************** be better?
far better. that is the difference between a hour and 100 million years or so
See, when YOU type hunter2, it shows to us as *********
All I see is hunter2 .
I swapped to password manager the same day after watching this video, to be honest. :D Anyway, another cool idea, following the rules discussed in this video: if english is your second language - mix the words in english and your mother tongue. Now hackers would have to use two times bigger dictionary (english and your mother tongue), stick a random symbol in one of the words and hackers can kiss your password goodbye until quantum computer era comes.
My hard drive encryption key is the chorus of a song, with one character representing each word (not necessarily the first letter, but fairly easy to remember, like using - instead of "less" for example). It's a song that no one would necessarily believe that I've even heard of. It's hard to resist to urge to whistle the tune while typing my password :)
I use last pass, gonna make the master pass stronger now though
Mine is upwards of 35 characters, and that's still theoretically vulnerable to a motivated attacker.
2 Canadian banks have maximum of 6 and 8 characters. *facepalm*
@Tristan Ridley
the bank won't let someone do more than 3 or 4 failed login attempt in a short period of time, they will ban the IP and maybe block the account temporally, so even if your password is like 4 chars long they won't guess it. banks could still be hacked (very unlikely) and attackers will be able to do the offline cracking, the thing is if that happens the bank will immediately suspend all the accounts and attackers won't be able to steal money
@@tomyman Hashes can leak without the bank even knowing at first, and since literally all of those passwords would be cracked within hours, they might realize only too late.
@@vojtechstrnad1 And fire consumes everything - It'll just take one spark and a small gust of wind THEN THE ENTIRE WORLD IS DOOMED!
/sarcasm off
hardware 2fa keys
Banks are slowly catching on to using FIDO Keys.
What about asking Google Chrome to remember your passwords?
So I don't know how easy it is to do over the internet, but when I was in high school, I found a program that would just rip your stored passwords from every browser installed on the computer, and it could do it in about half a second. This tells me it's probably not secure at all
@@tjc9514 Lazagne.exe
It is not secure.
Ha, that XKCD comic is EXACTLY what I was thinking of when I clicked on the link to this video.
Once upon a time, I think I even used "correct horse battery staple" as part (not the whole thing. I'm not that crazy) of a password. I'll be darned if I can actually remember where I used it. Welp, guess I'll be resetting that one if it's not stored in my password manager!
After watching this I immediately went to lastpass and created an account. Thank you very much