Y0urPas5word$ucks and Here's Why
HTML-код
- Опубликовано: 5 июл 2024
- Thanks to LastPass for partnering with us on this video! Click here to try LastPass for free: bit.ly/2vcfLIC
Brian's "friend" hacked Jason's LotR Online account on first guess with "youshallnotpassword" and then "convinced" "Brian," who is totally not his own friend, to spearhead an episode on password security so that Jason can go back to securely hobbit frolicking or whatever else you're supposed to do in that game.
-----------------------------------------------------------------
Additional Information
NIST's guidelines
pages.nist.gov/800-63-3/
Jim Fenton's presentation
slideshare.net/jim_fenton/tow...
Naked Security on Sophos
nakedsecurity.sophos.com/2016...
XKCD comic
xkcd.com/936/
XKCD explanation
explainxkcd.com/wiki/index.ph...
Numberphile explains the enigma machine
• Flaw in the Enigma Cod...
PasswordMeter
passwordmeter.com/
-----------------------------------------------------------------
Patreon: / modernrogue
Discord (patron reward): / discord
MR Articles: themodernrogue.com
Outtakes & BTS: / scamstuff
Subreddit: modernrogue.reddit.com
Merch: shop.themodernrogue.com
Twitter: / modernrogueshow
Instagram: / modernrogueshow
Facebook: / modernrogues
-----------------------------------------------------------------
Music used in this episode:
"Things Work Out Eventually" by fantompower
chillhop.bandcamp.com/album/c...
"Sleepin" by Jhfly
chillhop.bandcamp.com/album/c...
"Lament (ft. Plusma)" by Philanthrope
chillhop.bandcamp.com/album/c...
"Pine Trees" by Juan RIOS
chillhop.bandcamp.com/album/c...
"Lovely Rita" by Birocratic
chillhop.bandcamp.com/album/c...
-----------------------------------------------------------------
This episode was made with the help of:
Brian Brushwood - host -- / shwood
Jason Murphy - host / researcher -- / captainmurphy
Brandt Hughes - camera operator / editor / researcher -- / gatowag
Bryce Castillo - camera operator / live audio engineer -- / brycas 
Развлечения
We've all been there: you've got an unopened can, an unscrewed screw, something to be measured, an unopened bottle, and you don't know what time it is--an everyday conundrum! Solve all those problems and more with the All-Access Card! This tiny credit card-sized tool has juist about everything: can opener, knife edge, screwdriver, ruler, can opener, 4-position wrench, butterfly screw wrench, saw blade, sun compass, and another wrench just to show off!
We're giving away 10 All-Access Cards (a $9 value each) free for people who enter our weekly giveaway at gimme.scamstuff.com
More on the All-Access Card: www.scamstuff.com/products/10-function-credit-card-tool-kit
Congrats to the winners of last week's Lace Escape Tool giveaway: Lavi Glassman, Louis Buck, Corey Posnanski.
first reply?
The Modern Rogue i FuCk!n LUv ye'Re v1de0s. Keep it up lads
The Modern Rogue do you guys know how to make a blue lagoon? I am sure Trever does...
The Modern Rogue what if your tech does not have double locks?
Here's a good tip, there are real world things that have complicated combinations of characters and letters. Think of your sound system's full model name, a full name for a car including engine size and spec. They will very easy for you to remember, but a tough nut to crack for anyone else.
I have the best defense of all against bank hacking: a negative balance.
OH SNAP
Lol
same hahaha, the joke is on them
MAKE THEM PAY UR BILLS
Aleister Gein I use that all time!!
Fun fact: according to the password strength check website I found, the title of this episode is a pretty secure password.
hah! That's awesome. enjoy your thumbs-up, sir.
Estimating strength of password "Y0urPas5word$ucks":
Approx time to crack: 3 minutes
(in seconds): 74.066
Strength score (1-5): 1
Entropy estimate (bits): 20.498
How the password "Y0urPas5word$ucks" was broken into parts:
0:
pattern: dictionary
i: 0
j: 3
token: Y0ur
matched_word: your
rank: 27
dictionary_name: english
l33t: true
sub:
0: o
sub_display: 0 -> o
base_entropy: 4.754887502163469
uppercase_entropy: 1
l33t_entropy: 1
entropy: 6.754887502163469
1:
pattern: dictionary
i: 4
j: 11
token: Pas5word
matched_word: password
rank: 1
dictionary_name: passwords
l33t: true
sub:
5: s
sub_display: 5 -> s
base_entropy: 0
uppercase_entropy: 1
l33t_entropy: 1.5849625007211563
entropy: 2.584962500721156
2:
pattern: dictionary
i: 12
j: 16
token: $ucks
matched_word: sucks
rank: 762
dictionary_name: passwords
l33t: true
sub:
$: s
sub_display: $ -> s
base_entropy: 9.573647187493323
uppercase_entropy: 0
l33t_entropy: 1.5849625007211563
entropy: 11.15860968821448
Intel had a video i remember a while ago showing that basically said how "c0mPl3x!ty < length" or something like that. typed that phrase right there in quotes and showed how long it would take to break.
I guess the site I found was crap then ;)
It's technically good, but it uses common substitutions that would be easy to guess.
"The Longer the better" - Jason Murphy 2017
I mean... he's not wrong.
“Suck it Brushwood!” - Jason Murphy 2017
That's what she said
Chief Shack but the question is I'm not enough...
Intel had a video i remember seeing that basically said how "c0mPl3x!ty < length" or something like that
My favorite, I think from Steve Corell: I Change all my passwords to "incorrect". So whenever I forget, it says, "your password is incorrect"
Not a fan of online password managers. Sounds like a company with a massive target on its back to me. No company is flawless; breaches and exploits are going to happen. It's just a matter of time, especially if it gains popularity.
Yeah same thing for me, I just a have a fairly good password (78% according to password meter) and 2FA
LastPass had breaches already, but the passwords are encrypted on their servers, so the hackers still cant get your passwords, as the password will only be decrypted on your Computer.
FISA warrant
This is exactly correct. All you're doing by putting passwords in a password manager is giving hackers access to everything once they exploit it - and it WILL be exploited.
Really old comment here but as it's one of the top comments on this video I feel I should add some things:
- Passwords are encrypted clientside with 256-bit encryption so even the company can't decrypt them.
- Your main password is never sent to the company and is only used to encrypt/decrypt your passwords before sending them to the server over an encrypted connection.
- All password managers recommend, or even require two factor authentication and if you're not using it, you're asking for trouble.
So, any attackers will need access to either [your password AND your phone] or [the servers AND your password].
I'll also leave this little snippet from the brute-force attack page on wikipedia:
"Breaking a symmetric 256-bit key by brute force requires 2^128 times more computational power than a 128-bit key. Fifty supercomputers that could check a billion billion (10^18) AES keys per second (if such a device could ever be made) would, in theory, require about 3×10^51 years to exhaust the 256-bit key space."
"I AM VERY PROUD OF MY PASSWORD MAKING SKILLS" -- Brian sings after typing his most secret password on a site, who's owner he does not know and intention he has not learned. That password is now on a secret list to hack Brian Brushwood somwhere in Russia or USA :)
well, also it's a dead password from long ago...
"Starwar's Password?" "I 've retired that one... Long ago..." So close... Should have said, ""A long time ago in a galaxy far, far away."
"strip him of EVERYTHING" -Brian, 2017
Jaden Henderson I think Jason said that
My steam account was literally hacked today but meh two-step verification on my email stopped that bugger! The hacker then tried to sign into my email! My SMS two-step verification stopped the hacker again! This is the second time a hacker has lost lol!
nice!
Two-step certification OP!
Vertification* lol
I had a similar problem with my Facebook account. Two-step verification saved me there as well! I got an SMS 'Use XXXXXX to log into your Facebook account.' I changed my password immediately after.
2FA is great, everyone should use it
Serious question: How worried should I be about LastPass (or any other password managing software) being compromised and/or stealing my passwords themselves?
LastPass themselves don't even have access to your passwords, the company has been hacked multiple times and none of the passwords stored in LastPass have been compromised. The most you'll ever have to do if LastPass gets hacked is change your master password and that's just an extra precaution.
Lizard813 if you're really worried about it use something like keepass instead and keep the database and key file on a usb stick. obviously don't leave it plugged in when you're not using it.
Appart from other points from other people you can use yubikey + lastpass combination ( which I m doing) which is like overkill and I guess for user like me more than enough. I´m using last pass for some time and curentlly it is superB program.
You can always create your own encryption service which runs local on your machine, like if you run windows just encrypt a .txt file with your passwords. Passwords which would obviously be randomly generated.
lastpass uses your master-password to encrypt your passwords. So they have no access to the plain-text and cannot de-crypt it easily.
If they had malicious intent, they could just grab your login data and store it, but if they do that once and someone finds out, their brand is done. They can close their business. They rely on a good reputation, otherwise they won't survive.
You should never feel 100% secure with anything you do. There is always a risk remaining. But the risks with using last-pass are definitely smaller than with other comparable password-systems, since the passwords are encrypted and stored in the cloud, making them safe and accessible.
This episode is spot on! When I do penetration testing, password reuse is one of my favorite things to exploit! What's even better is when people used to use the same password everywhere, but now has switched to using a password manager... USING THEIR OLD PASSWORD AS THE MASTER PASSWORD! Talking about making my job easy.
Wkterr that's exactly what makes me sceptical about password managers, because if you can crack the password for the password manager, you get all the passwords! And if one of those password managers' servers get cracked, then what? I've opted to just write down all my passwords on a sheet of paper that I keep in my wallet and on the wall next to my PC.
If you keep your passwords written down somewhere, don't tell the entire world where you keep them...
About password managers: A properly implemented password manager will not see its users passwords compromised if their central servers are compromised. Users passwords should be stored encrypted on the server, and only be decrypted on the actual client itself. How do you know if a password manager is securely implemented tho? Well, that's a story for another time when we advocate for open source software.
Anyhow, yes, one of the downsides with password managers is that if your master password gets compromised, all your stored passwords are compromised too. There are ways to work around that, such as keeping your password manager on a 2nd offline device and typing in your passwords manually, but most people won't accept such an inconvenience. Personally, I just try to keep the amount of important accounts I have to a minimum so that I can remember all my passwords without having to write them down, and use a password manager for the less important stuff.
Wkterr penetration testing?
That sounds kinky
If only you knew how much action that phrase has given me...
(Hint: None, because as fat computer nerd I'm not very sexy)
But if you use TWA on the Password Managers, wont they be as secure as it can get?
when I was younger my first Runescape password was "Farts"
Plottwist: there was a keylogger installed on that laptop
This video (or, more accurately, the day of the week this video was uploaded on) confused my world. I thought "what, the Modern Rogue uploaded, is it Friday?! Is life even real?! Is the universe a hologram?! How am I eating this food when 'there is no spoon?!'" So, as you can tell, when you change your uploading schedule by one day, it can give a person an existential crisis. A little warning next time.
bill bill read their laptop
But today is Thursday
I knew it couldn't have been a coincidence that that theory was used in a comment 4 hours after Kurzgesagt released a video on it.
That’s insane. When I was a kid, I used “Star Wars” for the password on my old computer. (The computer and hard drive are long gone.) as an adult, I realize that it wasn’t the most amazing password in the world. But, I had no idea so many other people had the same password.
"What are you Shaggy?"
haven't heard that reference in years
Around 20 random characters with no correlation to each other forcefully memorized for each account ever. I win.
Elder Eggplant my password is 32 digits of a section of python codes from a certain game with the code itself transfered from c+ to java and then put in python
and I thought I was the boss with my 9 digit password of random letters and numbers
Logan McNabb Mine is a dick recognition program that requires a studio quality picture and a fingerprint reading of the tip.
Elder Eggplant why not write it on a piece of paper
My password is 42 characters.
Oh Crap!
Now I gotta change my password!
episode about password security, and then at 14:02 they enter their passwords at some randon website over a "Not secure" network. nice job
and?
Well, that's not secure (bad practice). Also you crashed their site, it's been down to half an hour hahaha
oreskec they said that they replaced all the passwords they put onto the site
There is the possibility that they log and sell information. even if they don't tell you doesn't mean they don't do it. Checking things like auto fill, search history, and cookies can let them know exactly where to use the passwords. I hurt a bit seeing you do that. Also just the number of characters eliminates about 50 percent of the guesswork.
Checking for an SSL connection should be another segment of the video itself. No matter how secure of a password one uses, sending it over an unencrypted channel negates the value of it. Many users are unaware of what an SSL channel is and the true vulnerability not using one can lead to...perhaps a future video topic. (Yes, 2FA still prevents unauthorized access here.)
This show is like a crossover between mythbusters and teleshopping
I'm very happy with how your channel is coming about. Been a fan since around 100k, and I'm really happy for your success! I hope that even when you get really big you keep making videos like this!
thanks so much, man. Makes my day to hear.
Putting your passwords for all your vital things into a random jank looking website that is not a verified https domain is the smartest thing I have seen all week. Besides that fun video gentlemen.
MR: Says phrase passwords are secure vs random passwords
Also MR: Look at how secure this character jumble is
I've been using LastPass forever, swear by it. It's amazing how many passwords you have when you start logging them. Having each one unique and not having to remember them is awesome. I wish 2FA was more prevalent, particularly in the banking industry.
Enjoyed the vid. Keep up the good work :)
+Rick Sattler glad you liked it!
Also is using a different language for your password better or worse as its a detail thats easy to figure out about you (that you know that language) or is it better becouse its less wide spread like english is?
We need an episode on cigars!
ZockMedic YES
ZockMedic or an episode on cqc from metal gear solid!
One of the things I do with my passwords is nicknames of people important to me, combined with a date that's important to our relationship, combined with a description of the activities we did on that day. It's things only known to me and that other person, and it's generally long, which is as you said is one of the biggest factors in security.
Modern Rogue: "Your password sucks"
Me: *Sweats Nervously*
Actually there was a flaw in the design of the Enigma machine which allowed the Allies to crack it, but yes the flawed human users were a contributing factor. Numberphile has a great video on it, well worth a watch.
I'm not sure I'd call it a flaw when the solution to it was "invent the computer"
Love your videos, Modern Rogue! Keep up the good work.
One of the easiest combinations to use is Pass-phrasing, pick two to three random words, add/remove spaces, add/remove capitals, add/remove special characters and you have a nearly impossible password that's still relatively easy to remember.
You know, learning German, I was thinking the whole time of passwords in English and German, then I realized that mixing words from other languages into one password would work amazingly! It may not be a word the software would guess at all (particularly obscure words), and it's very unlikely that it would pick random words from 3 or 4 languages and mix 4 full dictionaries to find it! *I STUMBLED UPON THE PERFECT SECRET!* Random foreign obscure swears!
Especially if you also add umlauts, accents, and Ñ if possible in that password service.
Brian's email password:
Length: 13
Uppercase: No
Symbols: No
Lowercase: 8
Numbers: 5
??????X??[0-9][
LastPass is cool because you only have to remember 1 master password and the rest can be 100 Digit random characters that you never have to remember.
Fizizy and then someone can get your 100 passwords with 1% of he effort
+Nope Nope Not really, you can use 2Way-Auth on Lastpass aswell...
2FA is securer than just a password but it's not completely secure and some of the weaker implementation aren't much better than just a single password. The fact that some really important passwords are guaranteed to be in LastPass makes it worth the effort for an attacker to spend the time to crack it. Besides, everything gets hacked eventually.
until last pass is hack and all their passwords are leak. (Already happen once)
A couple years ago someone did an SQL injection on last pass and almost everyone's info was robbed. Last Pass almost went out of business, and if it weren't for their strong supporters they would be definitely dead. 2FA is very secure from someone knowing your password, but another (stronger) SQL injection could do this all over again. I would never recommend using an online bank to keep your passwords because of how they have a tendency to get breached.
Love that disclaimer at the end about the passwords. You know someone was trying to look at them and be naughty lol
I literally used to login to my preschool teacher’s computer whenever she left the classroom. She’d change the password almost everyday, yet I could still get in. Good times...
Anyone know his cats name
if you get an old password for gmail and the victim has a youtube account you can use when was this account created as a security question! the answer will be on the youtube about page.
ow that's dumb as fuck, I didn't know that
The most important thing with passwords is to have a different password for each site you're using. Because the number one way that people get hacked is because there is one leak, on one website, and they will use a bot to sign in to a banking site, or amazon using the emails, and passwords they got from that leak.
It's very rare for someone to be specifically targeting you, so even changing a single character in each password is going to make your accounts more secure. If you really want to be secure use a password generator, and write your passwords onto a piece of paper, or use an encrypted password manager.
As an IT guy, your password won't do shit to protect you. As long as their database has a breach, we are all fucked up
Are you guys actually kidding? Why would you give all your passwords to one website? Someone can just hack that website.
which is why they changed their passwords lol
The number one way to not get hacked is don't tell anyone your password. How do most drug dealers get caught? They told someone they shouldn't have. Everyone would be safer if they kept their collective fucking mouths shut
Amos Backstrom How is the drug trade these days?
Jack Barr Johnston but it is if they tell someone else (or make a copy of the key for someone else) their point is still valid
Jack Barr Johnston Well your friend might keep your account logged in on their phone, then someone else gets on their shit.
Amos Backstrom I had someone log in on my phone once. He clicked allow on every thing without looking and I now have access to his mothers agenda, his contacts and emails.
Kevin Mitnick (who coined the term "Social Engineering") has always said that the weakest point of any security system is the user. He recounts the story of how he cracked the police's secure lines by getting some basic information on what system they used and using that to convince a dispatcher to give over the secure password and admin number.
There's also a story out of...I think DefCon...where a team won the event's "Capture the Flag" competition by tricking a security guard to give them access to the server room. Five minutes of basic computer use, and they'd won.
Take yourself out of the equation. Use an algorithm like "First letters of a very long sentence no one could guess" or "8-character secret key no one could guess followed by the letter 'a' 56 times" for your key locker, then never give a single hint to what your password could be. Change your passwords from the secure site itself, and never from an email (even if it looks legit).
And, for the love of all that is good, don't do those Facebook quizzes that take your name and ask for personal information to give you your "stripper name" or something. That's an easy way to give up information on your security questions.
EDIT: I use neither of those algorithms. Nice try.
A bit a of a trick I've used for passwords (as a math major and a nerd) is that I write 2 or 3 numbers nearby my computer, and then I have a series of equations that I run those numbers through, now only I know the equations is easy to remember, so if I forget my password is 123893754803245623643924132, It's relatively easy to type those 2 or 3 numbers through the calculator on my phone in an order that only I know but use for all my passwords. So I can safely keep all my passwords written down without actually writing them down. And since letters are more secure than numbers I can have different number strings correlate to letters or words.
I often write a word and then encrypt it with a Caesar Cipher (like Vigenere Cipher) and then use the result as a password. So that way it is pretty much a seemingly random letter sequence (often with a couple numbers added for good measure) and not a word someone could guess.
Randomness, either by hand or computer, is still not truly random. Only nature can be random, and even then there are normally recognizable patterns in most cases. Also, as already mentioned in the video, coherent words are too easily guessed by a hacker because of the human factor. So a passphrase is still not secure enough. A seemingly random string created via an encryption algorithm is about the same as any other computer generated "randomness". Even the best "random number generators" still use an exploitable algorithm as that is what computers are bound by: Math. They can't go against their programmed logic. It is still better than "human randomness" however as the computer could use any number of possible algorithms that are hard to guess, but a human is limited literally by their imagination. Or in other words, their pattern loving nature.
Making all your weaknesses able to be found in one place.....smart... legitimately same scenario as having all your passwords the same because they only have one obstacle to overcome to get all your info... thats like hiding something from a tolder inside their toy box.... the net is what hackers play with, just because its out of your hands doesnt make it safe, write it down, put it on paper, hide paper.... unaccessible to hackers period
that makes perfect sense, if you truly believe you're better than a team of full-time professionals you'd hire to handle your security.
Are you claiming that you're better than a team of full-time professionals at protecting your security?
nope im saying paper is, thnx for reply none the less, big fan :)
The important difference is that by using the same password, you are reliant on the worst secured website that you use, whereas with Lastpass or keypass, a problem would have to be found in one specific site that presumably cares a lot about protecting passwords.
LastPass does put you at a single point of weakness, sure, and once LastPass is hacked and the passwords are leaked that's a big problem, but other than that it's safer than the other alternatives.
As for "unacessible for hackers" that's only true if you use a proper cryptic password AND have no keylogger or similar on your PC. Any other password, especially ones that contain common words, can be guessed using brute force. If you want to evaluate how strong a password is that uses common words, treat every word like its 2 random letters and then evaluate the length of guessing. The comic at 3:50 is entirely wrong in this regard. The password on the bottom with 4 common words is essentially as secure as 8 random characters. Since the original uses no capitalisation either, we'll use none in our comparison. So you can say it would take a little over a minute to brute force that password.
But a password manager can't have their password database leaked because they don't have one. The passwords are encrypted with a one-time pad the key of which is the current hash of your password. If you try using an incorrect password you'll just get the wrong passwords back. Since the key is essentially random (due to the avalanche effect) and the passwords are actually random, all possible passwords are equally likely. In other words, your password manger doesn't tell them anything.
This reminds me to change my YT password since its shit
INB4 his password is literally "shit"
No its "since it's shit"
SvMazz its "it's
TheMarijn27 you got me there
my steam password was Fuckingbullshitpassword up until a year or two ago when i got keepass and i got 2 step on everything that matters.
If they told me to put in my passwords for that contest, I'd be like, "Well, all of my passwords are just randomly-generated gibberish stored in LastPass", haha. Of course, before I found LastPass, I was one of those poor sods who didn't even have a wall-- I mean, used the same password for every website, with small variations when there were "rules" to be followed. Bonus points if you caught the reference.
According to that Password Meter site used in the video, "Summer2017!" is a 100% strong password. Please don't assume an algorithm on a website can tell you if your password is strong or not.
sup
Sup
Sup
'sup
sup
bill bill 8
Look at my username, you think my password is short?
hahahaha
Your password is:
TIAPLUNWTFWHDTSTEWTUI!
I *know* your password is short.
I use a password manager because of a personal recommendation from a friend. Highly recommend finding one. LastPass is solid, as is 1Password, and Nord's password manager. The trick is, you have to actually use it. The other trick is, be aware that the master password you use is crucial to keep secret. Do not write it anywhere unless it's on paper in a safe or something. Make it something memorable, but also difficult to guess, etc. LastPass and 1Password are named that way because the master password should be the only password you need to remember. From there, you can (and should) use strong passwords for everything, which you don't need to remember.
Yes! Thanks for doing this topic Brian and Jason. I'm changing all my passwords today.
hash and salt my friends, hash and salt
Just search random password generator on google and save it
tmn36 don't completely trust online ones cause they'll commonly pull from a bank of passwords or log passwords you've used. It's safer to use one that's downloaded and delete it when you're done
Or just use lastpass. It generates it for you.
chill dude
I'm with tmn36, use a "random" password generator!
Kee2Pass is pretty awesome.
Two factor verification:
Having two different keys, one being the handle lock, the other being the top lock.
When you said "why wouldn't a person have a second lock on their door, would they just rather leave it open all the time? haHAA" you have to think about how practical it is for certain services to ask for multiple "keys" to a "door".
Sure, I'll use as many security measures to secure my bank account, but I'm not going to barricade my door every time I go to the store to pick up milk.
All and all this might have sounded like an angry rant, but I really enjoyed this video and I feel like you overlooked practicality. :)
I needed this video. Some of my passwords suck. I'll be updating the weak ones as soon as I'm able.
Hey guys, I'm actually NOT sponsored to say this like they are but I have to agree with the MR guys, LastPass is fantastic for keeping track of super secure passwords. I've used it for about a year and it's really a life saver.
You guys always have the best passwords... er... sponsors!
I've been using Last Pass for months now and absolutely love it! Add a VPN and you feel invincible online...
I see that the password meter has no https secure conection... should i go hide under a desk if I check my passwords there?
Came for XKCD reference. Time 3:50. If you do it XKCD's way, and use four truly random words, your password will be nigh invulnerable.
Another tip for using password managers. Back the passwords up in another password manager (KeePass for example). Or have a backup on a usb.
Maybe make two backups.
But is last pass useable on the site that the system sees as a box that is part of a form or bodge job code vs coders who do correct formatting and labelling both front and back
Also one thing I dislike about computer privacy is with google it only lets you know what country the hacker atacked you from I think it would be better to see a roghth location of where you where hacked from e.g. Instead of it saying uk say Kent U.K. As then you can tell if it is a rejection of a friend who spelt Thomas as Tomarse (no joke this happened) or a low life who breathes down the back of your neck to see the key strocks
I'm not comfortable with storing pw's in the cloud. Is it possible to put it on a secure usb drive (with backup naturally)?
Or use the key chain thing on apple which makes the long passwords and stores them on the cloud
Take a mixture of 3 either words or names, make it 4-6 characters long combining the words, then take a random number generator to get 4-8 characters, through in some random allowed symbols and put it through a jumbler. Rinse and repeat for every password with different words and numbers, get lastpass and store them there, you'll eventually remember them over time but it does take a long while
An extremely annoying thing about making long passwords is not that they are long, but instead some websites won't allow you to use say more than 16 characters. This includes many sensitive information websites that you'd totally want more room to have a password as long as you'd like. If a free forum hosting website that nobody really cares about doesn't really limit password length, why in the world does a damn bank limit them? Some even go as far to limit certain characters. WHY? MORE IS BETTER YOU FOOOOOOLS.
How did I know before the video started that this was an ad for LastPass...
I would recommend using a password generator, and store all of your passwords locally, in a text file, preferably on a flash drive. also, use 2fa ALWAYS
Saving your passwords on text file on a flash drive is low level. Writing your passwords on paper is the high level!
The bitly link that should go to LastPass' website opens a new tab which immediately closes for some reason.
By showing something that was cut in the video itself, does that inherently make it uncut from the video?
This about this nightmare scenario: You have created a 36 characters password, completely random, actually you wrote a random number generator in your favourite programming language, on a laptop, that was freshly formated and never connected to the internet. You have used it, to protect your cryptos, now you have forgotten it.
my password is almost TOO long for the system, and I am testing out last pass, but my current google password is so many of my old passwords combined, and they were already really good alone, and I always add a new bit too when it evolves
My childhood best friend used the word Dragon in every password he would use. It was always his favorite Yugioh card at the time, which was always a dragon.
two factor is the worst in the way it works in most cases, where if you have acces to the phone or sometimes even phone number, you can use that to reset a password and get in the acount that way, essentially making 2 factor just 1 factor. i work in IT and i have a pretty good ground in cyber security and the amount of people that got their acounts compromised because they had set up 2 factor you wouldnt belive, so if a site offers 2 factor please make sure its for login only and you cant just reset the acount password with the phone number or phone, if this is the case DONT USE 2 factor, in that case just a storng password or as they would call it in cyber a passphrase is the better option, and ofcourse never repeat a password and make sure you have as few acounts linked as possible so if one gets hacked in to or compromised the others are likely to be safe
My new password is just gonna be the tragedy of Darth Plagueis the wise
Very clear explanation of the new guidelines!
Couldn't have done it without presentations like yours helping us figure things out along the way! Hopefully the new guidelines gain wide adoption sooner rather than later.
An IT person once told my friend "think of a song and use the 1st letter of the word of lines" so you can sing the song in your head and type the 1st letter. I dont use that but thats one way of remembering long passwords
What about KeePass? It has the password management without the online repository.
my least secure password I have used in the past I made and it scores a 87% should I still use a password generator
What happens when all the biometric data from Apple FaceID gets hacked? Does everyone just have to change their faces?
Maybe i'm only one who reads description of video, i'm thrilled that Jason play LOTRO didn't know that :)
Yeah you guys ant the MR keep uploading stuff like this man. How can I not love you guys
I have many unsecure accounts with the password "password" These are usually on websites i have very little interest in or dont plan to visit often. Is this the reason why password still remains as number two?
Is back and triangle 24680 the captain now i wanted hair a good password ?
In the end when they put their own passwords I got very worried for them, cause exactly these kind of websites are used to spoof you, because the password you enter you have used once, are using or will use in the future. As an analist here this is very scary.
Top tip: Never re-use passwords. This is very important. It's unlikely your password will ever be brute-forced if you have a decent one. These days most password leaks are done through website vulnerabilities or phishing. Use nice unique passwords for everything and one super impossible one for your email.
"Hmm, why did Brian change all his... !" "Ooooooooh."
haha... yuuup.
Wow, Everquest! Thanks for bringing back memories from almost 20'years ago!... god I'm old 😓
For even bigger security freaks, I suggest not using lastpass because it send all of your password (I know they are encrypted but still) to the cloud. I' d strongly suggest a local based password manager, like KeePass or PasswordSafe, they store them in a file on your computer or smartphone. Then you eigther manually keep the latest verion of the file on your computers over usb or sync them but using your own server. Your server don't has to cost you a single more dime as file sharing servers can run on your computer in background and so your password will only be synced over your local network.
I'd also suggest checking out YubiKey. It's like a usb stick that's made specifically to store your passwords and can send them to your phone using NFC whne you need to log in somewhere.
PostScriptum 2FA is often a good way to get your phone number as it shouldn't be required for the 2FA setup. Many sites don't ask it. Those are good sites. Some like facebook apparently can't do without... Just sayin'
Upvoted purely for the new sponsor, LastPass is awesome!
agreed!
I am glad you made an episode about this since secure passwords are so undervalued. I also understand lastpass sponsored the video but I think you are doing a disservice to people by not listing options.
Saw in a movie, guy had a magazine subscription and changed his password to the number/ letter code on the mailing label every month the latest issue came out. Sounds like it might work.
would it help if the number of characters were a prime number?'
The one reason I'm not moving to a password manager (yet) is the inconvenience, considering I login and logout of a lot of things all the time.
Although, the passwords I don't use a ton (such as computer login) contain 16-24 characters
Another thing... Well two things that are kinda related.
First is using guest checkout. For most sites, if you can go without a password, you're better off. It would be nice if this was more of a standard than not for commerce sites. Furthermore, most of our site interactions aren't storing useful information. Social media sites SHOULDN'T store birthdates, phone numbers, addresses, etc. but rely solely on people sharing their usernames personally with their family, friends, etc. It's a bad practice that shouldn't have ever been put into place. Treat everything you can as a burner account. (the closest we have other than the above mentioned "guest accounts" is that some credit cards offer rotational one time use CC numbers, [and in m line of work I have seen this used for one particular business where an email is sent with a one time use CC number, and I have also dealt with a business specific CC number where only one business is whitelisted for transactions with it, but these rely on the CC companies and users rather than using a "guest pass" system as a business end default).
If you want to set up an account for the purposes of saved history and such, that's fine. Keep it separate from transactional data. I know with NJ, paying state taxes allows for people to log in and see certain information with just a business name and a tax ID #, but you can't actually pay your taxes or do any sort of modification/transactions without logging in with the business name and password.
A differentiation between what information needs to be encrypted and what does not should also be a standard. My netflix account and playlist shouldn't require much to get in, but to access the account or pay my bill should. (and since often that is autopaid, really, you could have an 800 number with some automated menu to update any billing related issues, which would remove access to this info from the web. In short, if we didn't USE a highly insecure system (the web) to story highly sensitive data, passwords wouldn't be a huge issue.
Passwords with words, a symbol between them and a number at end is easy to remember but hard to brute force, for example: Disk-Nails-Container-Coconut-2
I really do like the occasional sit down and discuss episode of Modern Rogue
But what would happen if your password manager (LastPass or another) gets hacked ? Would you lose all of your accounts ? Are all the passwords stored on a server or elsewhere ?
I've already started a friend's computer by just using the top 5 most used passwords, felt like a real hacker lol
By the way, I saw a couple of months ago a new instagram account linked to my fb and twitter with a mail address that wasn't mine, so i think i'll get LastPass just to be sure, is there any code I can use so they know I came from this video ?