I was skeptical of watching this video , but then after watching this video can I say "Today I learned". It is really good techinique I never thought of. Awesome , thank you Gary
'Peppering' is a good mitigation (for those in the 'know'). Not only is it tricky to incorporate, it is neigh impossible to implement or teach company-wide. Best (albeit weak) practice is (imho) long passwords (e.g. 14 characters or more) using spaces and/or ASCII characters. This will (semi) force users to use sentences. A combination of words will reduce the 'brute-force'-likelihood of a breach (especially if there is BF-mitigation implemented). All said, Gary, you're a great source for security knowledge.
@@PrivateUsername- A password's strength is derived from its length and the number of bits used in each character. Ideally you would use all 8 bits in each character for a total of 255 combinations. In reality due to the limitations of the English keyboard, it only allows about 94 unique characters, including lower, upper, and special characters. As long as you're using random characters of at least 30 or more, it's impossible to crack it by brute force using current computing power which of course may change in the future.
I have been using a mnemonic style where I replaces a word with a character and forms a short sentence combined with what you call peppering. So for example: ~
Using three or four words randomly or pseudo-randomly generated to form a sentence and then turning them into a mnemonic is an interesting idea -with the peppering on the end as the change up now and then.
Great advice! I watched another RUclipsr who called it a "double blind" password. The password manager never has the full password stored for your high valued sites.
I used to do it myself, the 3 letters I added at the end: the first letter of the month the account was created, the last letter of the site capitalized, the second letter of the site. I don't do it anymore but this allows to have no need to remember these 3 letters. The general idea is to memorize a mental algorithm that you can follow to calculate your password instead of memorizing the password itself.
I use an offline password manager, Keepass, No server to be hacked. Backing up the database to USB drives, portable storage, mobile phone and other computers and syncing manually. I do not know a single password to any of my accounts, only a pass phrase compiled with diceware, using an actual dice and a printed hard copy dictionary list.
Not necessarily. You could just use a pepper for your main email account and maybe for your online banking. Everything else leave as it is. That way in the worse case you can change your passwords (since your email is secure), and still access your money.
Then write down your password manager master password and the algorithm you use for pepper, and store it in a safe place (and not in your computer). You store your confidential papers somewhere don't you?
My "cookie cutter password" is (very basically), Symbol,Uppercaseletter,Lowercaseletter,number,Uppercaseletter,lowercaseletter,number,symbol,Uppercaseletter,lowercaseletter,number,Uppercaseletter,lowercaseletter,number,symbol. Works 100% and took me two tries to fully remember it. :^)
Someone can write a script to crack your password in about 2 seconds with this information. Delete this and change your passwords immediately. Other than hacking a technique used to get someone's password is called social engineering which basically involves tricking someone into giving out clues about their password. You've given out a huge clue and by the sounds of it you use that password for everything.
I'm going to do this with my 100 character bank password that I store in a local password manager that uses a key file as well as a master password , oh , and the bank also requires two factor authentication. Can't be too secure,you know. But I'm going to type 1 2 3 4 17 characters in ,instead of at the end. (at least that is what I'm saying I will do) Are you related to Veronica Explains?
Never delete characters. Password length is by far the biggest determinant in security. A 16 character password using nothing but random upper case letters will have a higher entropy rating than a 12 character password randomly generated using uppercase, lowercase, numeric, and special characters. Even a 16 all-numeric password rates nearly as high as the most complex 12 character password. Anyone can verify this using an online password evaluator.
@@GaryExplains The 16 character will be extremely secure but still less so than the 20 character. Why would you want to deliberately reduce the security? Is it much easier to delete 4 than add 4?
I suppose it might be marginally easier to delete last 4 than remember what 4 you added, if you don't use the same 4 everywhere. But when you hit submit the PWM is going to ask if you want to update password and you need to be sure not to, so that adds a bit of complexity back into it.
Salting just stops rainbow tables and really doesn't make it any harder for someone to crack an individual password. If a hacker can get the password file, it's likely they will also be able to known or have the salt as well.
True. Probably it would be more secure if you would have the salt in the program not the database. Use something like the username or the unique username/ handle or the email or the creation date or all of the above in any order you want and this way you save some database space.
What? Nothing beats changing passwords. Nothing beats passphrases or passsentences. I like lines of poetry with words mixed split with periods dashes and or underscores along with character substitution. with this technique I can use the same pass for many places just switching or trading the pass jumble rejumble unjumble. I only have to recall one coded pass. the main thing is I never use the same pass twice on the same place ever. I change every two to 4 months
Changing passwords is useless in all but a few niche use cases, such as a shared-password case or insecure work environment. A password cracker is going to crack an 8 character password in less than a second, doesn't matter if it's been in use ten years or ten minutes. A password cracker will take billions of years (aka never) to crack a 20 character phrase using a full character set, doesn't matter if it's been in use ten years or ten minutes.
In case of Peppering, one thing I'm anxious about, is the constant popups of password manager (esp browser-based like chrome's own built in) to Update the Password.
Peppering will make password managers a nightmare to maintain because of this. They will save what you peppered so you will have to edit the database manually.
@@reefhound9902 Not really, Chrome's password manager prompts you to save and saves only when you click on it. Now you would get prompts to update the password if you modify it when logging in, but that's the extent of it.
Safest place for Passwords are in your head and your home in a encrypted USB drive. Not in Password Managers. .. Do you trust other people with your money, your Business? LOL give your head a shake folks.
Gary, Thanks for this video. Makes a lot of sense. As before, may I ask a stupid question? At one point, I was determined to write my own password generator based on hashing. I had the code working, but ran into a problem: websites had different rules on what kind of characters they would accept. The special characters I was generating would be considered invalid at some websites but not others. Is there any safe set of rules when generating random text for passwords? Thanks!
I would say had you found each website can be different. I would include a selection so you can choose what chars to include at any given time. This is what most password managers do.
@@GaryExplains That is what I had hoped for. My question is whether others have already come up with a safe set of characters to use. Websites are not exactly forthcoming with their precise password acceptance rules :D
Perhaps you van get some inspiration from other password creating programs. There is not one general rule and e.g. on one site perhaps only numbers are allowed and on another site only characters from a to z. So you need to ask put questions like how many characters must the password be ( between .. and .. ) How many numbers, how many characters, upper and lower case, special characters ( and which) .
Yes, that is normally, I can't keep track of the hundreds of passwords I need. But it isn't hard to remember 4 letters. You use the same pepper for all passwords, you don't need to remember a different pepper for each password.
Good technique indeed! However, if one forgets about the pepper, then it will be as good as all the login credentials are lost. I don't think this technique is for everyone, especially those with poor memories.
The pepper could be to literally just add 1 to the end of all passwords, or your initials or your date of birth if someone can't remember that they should probably have a third party controlling their accounts anyway.
Sooo, i make a strong password like chocolate cookies and paper it with q1w2 so my password is chocolate cookie q1w2 and to bee extra cheeky iwill remove the last 4 characters. NO MY PASSWORD IS chocolate cookie AN UNSECURED EASY TO BREAK PASSWORD
another one I use when using public computers or if I suspect my pc has a virus is using the onscreen keyboard to type it in that way keyloggers cant grab any input. Simpy in windows go to settings /accesibility/onscreen keyboard
The settings path is called "Ease of Access"/Keyboard or just Windows Key + CTRL + O. Out of curiosity I checked this and you are wrong. A python keyboard module (called "pynput") or let's say a "keylogger" as Windows Security called it makes no distinction between a key press of a physical key and one virtual using the Windows 10 On-Screen Keyboard.
I use the first way you told. Part is on password manager and part of it in my mind. Although that half part in my mind is common for all my passwords.. So easy to manage all passwords
I use a kind of peppering with my credit cards PIN numbers, I have only one four figure number to remember then I calculate the four numbers I have to add to it to to get a banking cards PIN code. I write these numbers on all my credit cards. When using I have to add my secret number. But I only have to remember this one secret number. I use the same everywhere where a four character PIN is required. A number apperaring to be the PIN written on the credit card may also confuse the wrong guys if stolen, they would first try to use it in an ATM, and there is a chance the card gets blocked, so it is more likely they can't use it also for online purchases afterwards.
No, quite the contrary. But before I get into that, it would be quite rare today for a website to have a database that is not encrypted. But to your point, this is exactly why you should do it. If the database is stolen and your password is freely available then the hackers DON'T have your password, there are 4 letters missing, which a) they don't know are missing, b) they don't know the length of what is missing, c) only you know the letters. In other words the exact opposite of what you just wrote.
@@GaryExplains If the server database is stolen, if it's not encrypted, how wouldn't the hacker know the password? Whether your password is password1234, it's the one on the server end, not the client end, or have I missed something? How many times have sloppy policies on servers been the cause of password theft?
@@GaryExplains But when you create a password for the site, you need to have the whole password to create the login. So they will always know the correct password even if you tell your password manager a different one to save where you add the rest upon it autofilling, so the website gets hacked, they have your password right? I mean they need to know your complete password to log you in.
I use a variant of this. My password manager stores a long random string, I know a long phrase, I combine the 2 and hash a number of times to produce my password. That way the password is never stored by me
Yes, obviously there are lots of ways to generate a password, but you are sacrificing convenience for a long process of string concatenation, multiple hashing etc.
make a memorable weird and funny sentence drawn from your own life and use the letters in the sentences and then add 12 random numbers and 3 symbols. for example: my high school chemistry teacher Mary Lopez had an affair with the gym teacher Paul Watson. that would translate to mhsctMLhaawtgtPW#120925@961275!
I was skeptical of watching this video , but then after watching this video can I say "Today I learned". It is really good techinique I never thought of. Awesome , thank you Gary
'Peppering' is a good mitigation (for those in the 'know').
Not only is it tricky to incorporate, it is neigh impossible to implement or teach company-wide.
Best (albeit weak) practice is (imho) long passwords (e.g. 14 characters or more) using spaces and/or ASCII characters.
This will (semi) force users to use sentences.
A combination of words will reduce the 'brute-force'-likelihood of a breach (especially if there is BF-mitigation implemented).
All said, Gary, you're a great source for security knowledge.
Yep. Came here to say this. Length is the main contributor to password strength. Correct Horse Battery Staple, and all that jazz.
@@PrivateUsername What? How did you 'guess' my global-admin password??
@@PrivateUsername- A password's strength is derived from its length and the number of bits used in each character. Ideally you would use all 8 bits in each character for a total of 255 combinations. In reality due to the limitations of the English keyboard, it only allows about 94 unique characters, including lower, upper, and special characters. As long as you're using random characters of at least 30 or more, it's impossible to crack it by brute force using current computing power which of course may change in the future.
Gary I wanna give you a hug for this one mate
Simple and Effective. A really Helpful Explanation too. Great !
Peppering, or double-blind, I add mine at the beginning instead of at the end.
Good stuff, thank you!
I have been using a mnemonic style where I replaces a word with a character and forms a short sentence combined with what you call peppering.
So for example: ~
Using three or four words randomly or pseudo-randomly generated to form a sentence and then turning them into a mnemonic is an interesting idea -with the peppering on the end as the change up now and then.
Great advice! I watched another RUclipsr who called it a "double blind" password. The password manager never has the full password stored for your high valued sites.
Gary Explains well
I used to do it myself, the 3 letters I added at the end: the first letter of the month the account was created, the last letter of the site capitalized, the second letter of the site. I don't do it anymore but this allows to have no need to remember these 3 letters. The general idea is to memorize a mental algorithm that you can follow to calculate your password instead of memorizing the password itself.
Websites can change their domains or just the TLD and still use the same database making the pepper incorrect
@@Victor_Marius Good point but that happens very rarely
I use an offline password manager, Keepass, No server to be hacked. Backing up the database to USB drives, portable storage, mobile phone and other computers and syncing manually. I do not know a single password to any of my accounts, only a pass phrase compiled with diceware, using an actual dice and a printed hard copy dictionary list.
Interesting technique.
This is brilliant! Thanks for sharing, I never thought about this
Excellent information, thank you.
smart clever trick!!
This is great and helpful. You are a genius!
Glad it was helpful!
Wouldn't call it "genius" but definitely clever. :)
"Genius" would be discovering something extraordinary like capturing dark matter or E=MC2 ;)
Thanks, great idea but you need to peppering all your passwords. If no, you may forget which have the pepper
Not necessarily. You could just use a pepper for your main email account and maybe for your online banking. Everything else leave as it is. That way in the worse case you can change your passwords (since your email is secure), and still access your money.
I use BitWarden. In the note field, I make a note if it's peppered or not.
Great and simple technique ❤
Very informative!
Good idea, I already do this. 👍
Clever but my swiss cheese brain will have trouble remembering the pattern 6 months from now. Awesome idea though.
Then write down your password manager master password and the algorithm you use for pepper, and store it in a safe place (and not in your computer). You store your confidential papers somewhere don't you?
Chuck Norris doesn’t use passwords. He is the password.
Chuck Norris doesn't need a password, he just breaks the login with a kick. ;D
My "cookie cutter password" is (very basically), Symbol,Uppercaseletter,Lowercaseletter,number,Uppercaseletter,lowercaseletter,number,symbol,Uppercaseletter,lowercaseletter,number,Uppercaseletter,lowercaseletter,number,symbol. Works 100% and took me two tries to fully remember it. :^)
Someone can write a script to crack your password in about 2 seconds with this information. Delete this and change your passwords immediately. Other than hacking a technique used to get someone's password is called social engineering which basically involves tricking someone into giving out clues about their password. You've given out a huge clue and by the sounds of it you use that password for everything.
@@benfubbs2432 Oh, my! Haven't you heard? You can also crack someone else's password via A RUclips POST! Just like yours right now. :^)
Thank you 😅
*GARY!!!*
GOOD MORNING PROFESSOR!
GOOD MORNING FELLOW CLASSMATES!
Stay safe out there everyone!
Mark ‼️‼️‼️
Brilliant.
Simple but great tip. Thanks.
I'm going to do this with my 100 character bank password that I store in a local password manager that uses a key file as well as a master password , oh , and the bank also requires two factor authentication. Can't be too secure,you know.
But I'm going to type 1 2 3 4 17 characters in ,instead of at the end. (at least that is what I'm saying I will do)
Are you related to Veronica Explains?
BRILLIANT!
I should do this ASAP.
Can we control the server-side salting?
Yes! Become the CEO!
Never delete characters. Password length is by far the biggest determinant in security. A 16 character password using nothing but random upper case letters will have a higher entropy rating than a 12 character password randomly generated using uppercase, lowercase, numeric, and special characters. Even a 16 all-numeric password rates nearly as high as the most complex 12 character password. Anyone can verify this using an online password evaluator.
So what about a 20 character password saved in the password manager and then you delete 4 characters?
@@GaryExplains The 16 character will be extremely secure but still less so than the 20 character. Why would you want to deliberately reduce the security? Is it much easier to delete 4 than add 4?
I suppose it might be marginally easier to delete last 4 than remember what 4 you added, if you don't use the same 4 everywhere. But when you hit submit the PWM is going to ask if you want to update password and you need to be sure not to, so that adds a bit of complexity back into it.
If the password manager is asking to save the new password when you delete 4, it will also ask if you add 4.
@@GaryExplains Yes it will, which is why the peppering approach makes using a password manager more tedious.
Extremely informative, thank you professor
Salting just stops rainbow tables and really doesn't make it any harder for someone to crack an individual password. If a hacker can get the password file, it's likely they will also be able to known or have the salt as well.
True. Probably it would be more secure if you would have the salt in the program not the database. Use something like the username or the unique username/ handle or the email or the creation date or all of the above in any order you want and this way you save some database space.
What? Nothing beats changing passwords. Nothing beats passphrases or passsentences. I like lines of poetry with words mixed split with periods dashes and or underscores along with character substitution. with this technique I can use the same pass for many places just switching or trading the pass jumble rejumble unjumble. I only have to recall one coded pass. the main thing is I never use the same pass twice on the same place ever. I change every two to 4 months
Changing passwords is useless in all but a few niche use cases, such as a shared-password case or insecure work environment. A password cracker is going to crack an 8 character password in less than a second, doesn't matter if it's been in use ten years or ten minutes. A password cracker will take billions of years (aka never) to crack a 20 character phrase using a full character set, doesn't matter if it's been in use ten years or ten minutes.
Nothing beats is a bold statement. Similar to "xxxx killer" Also these "Nothing beats..." are outdated.
GREAT idea .. I have a system of my own that is like this. I will incorporate this method with mine. Thanks Gary
Pretty simple and makes a lot of sense!
In case of Peppering, one thing I'm anxious about, is the constant popups of password manager (esp browser-based like chrome's own built in) to Update the Password.
Peppering will make password managers a nightmare to maintain because of this. They will save what you peppered so you will have to edit the database manually.
@@reefhound9902 Not really, Chrome's password manager prompts you to save and saves only when you click on it. Now you would get prompts to update the password if you modify it when logging in, but that's the extent of it.
Just ignore the popups. A little inconvenience for a piece of mine, at least in my case.
Confusing
Help for me
Safest place for Passwords are in your head and your home in a encrypted USB drive. Not in Password Managers. .. Do you trust other people with your money, your Business? LOL give your head a shake folks.
Totally disagree
@@dav1dw I do like this for 20 years, never had a problem.
I always use 3rd method.
Gary,
Thanks for this video. Makes a lot of sense. As before, may I ask a stupid question? At one point, I was determined to write my own password generator based on hashing. I had the code working, but ran into a problem: websites had different rules on what kind of characters they would accept. The special characters I was generating would be considered invalid at some websites but not others. Is there any safe set of rules when generating random text for passwords? Thanks!
I would say had you found each website can be different.
I would include a selection so you can choose what chars to include at any given time. This is what most password managers do.
@@john_unforsaken I thought as much. And this implies that do-it-yourself password generation is not very practical :D
Could you not just use a subset of special characters that works across most (all) sites?
@@GaryExplains That is what I had hoped for. My question is whether others have already come up with a safe set of characters to use. Websites are not exactly forthcoming with their precise password acceptance rules :D
Perhaps you van get some inspiration from other password creating programs. There is not one general rule and e.g. on one site perhaps only numbers are allowed and on another site only characters from a to z. So you need to ask put questions like how many characters must the password be ( between .. and .. ) How many numbers, how many characters, upper and lower case, special characters ( and which) .
Barefoot Contessa fan too 😅
Really interesting video. Same as many commenters, I was skeptical before watching this, but I can say I learned something today.
Might not be applicable to all. I tend to forget the entire password that's the reason i went with password manager.
Yes, that is normally, I can't keep track of the hundreds of passwords I need. But it isn't hard to remember 4 letters. You use the same pepper for all passwords, you don't need to remember a different pepper for each password.
@@GaryExplains yeah it is. Might give it a go for few sites and see how it goes
Pass the pepper
Gaaaaaarrrryyyyy!!!!! 👋🏽
You end up using the same password on multiple sites… not good!
No, the password stored by the password manager should be unique per site, but the pepper is the same.
@@GaryExplains Thanks for the clarification... I didn't pick that up in the video... My bad.
@@davidrobertson415 It thought this too.
No, you only end up using the same suffix on multiple sites.
Good technique indeed! However, if one forgets about the pepper, then it will be as good as all the login credentials are lost. I don't think this technique is for everyone, especially those with poor memories.
The pepper could be to literally just add 1 to the end of all passwords, or your initials or your date of birth if someone can't remember that they should probably have a third party controlling their accounts anyway.
Sooo, i make a strong password like chocolate cookies and paper it with q1w2 so my password is chocolate cookie q1w2 and to bee extra cheeky iwill remove the last 4 characters. NO MY PASSWORD IS chocolate cookie AN UNSECURED EASY TO BREAK PASSWORD
I had already do peppering, but deleting characters in the saved password and adding my pepper is even better!
another one I use when using public computers or if I suspect my pc has a virus is using the onscreen keyboard to type it in that way keyloggers cant grab any input. Simpy in windows go to settings /accesibility/onscreen keyboard
The settings path is called "Ease of Access"/Keyboard or just Windows Key + CTRL + O.
Out of curiosity I checked this and you are wrong. A python keyboard module (called "pynput") or let's say a "keylogger" as Windows Security called it makes no distinction between a key press of a physical key and one virtual using the Windows 10 On-Screen Keyboard.
I use the first way you told. Part is on password manager and part of it in my mind. Although that half part in my mind is common for all my passwords.. So easy to manage all passwords
L3t M3 3xplain
👍🏼Class is in session, thank you professor👍🏼
I use a kind of peppering with my credit cards PIN numbers, I have only one four figure number to remember then I calculate the four numbers I have to add to it to to get a banking cards PIN code. I write these numbers on all my credit cards. When using I have to add my secret number. But I only have to remember this one secret number. I use the same everywhere where a four character PIN is required.
A number apperaring to be the PIN written on the credit card may also confuse the wrong guys if stolen, they would first try to use it in an ATM, and there is a chance the card gets blocked, so it is more likely they can't use it also for online purchases afterwards.
This technique is all very well, however if the server is hacked and if the password database is not encrypted, then this method is of no use
No, quite the contrary. But before I get into that, it would be quite rare today for a website to have a database that is not encrypted. But to your point, this is exactly why you should do it. If the database is stolen and your password is freely available then the hackers DON'T have your password, there are 4 letters missing, which a) they don't know are missing, b) they don't know the length of what is missing, c) only you know the letters. In other words the exact opposite of what you just wrote.
@@GaryExplains If the server database is stolen, if it's not encrypted, how wouldn't the hacker know the password? Whether your password is password1234, it's the one on the server end, not the client end, or have I missed something?
How many times have sloppy policies on servers been the cause of password theft?
@@GaryExplains But when you create a password for the site, you need to have the whole password to create the login. So they will always know the correct password even if you tell your password manager a different one to save where you add the rest upon it autofilling, so the website gets hacked, they have your password right? I mean they need to know your complete password to log you in.
easy... write it down backwards
That's actually pretty smart, it's like public/private key IRL
My password is 8 asterisks. Every website knows my password when I type it. Weird.
???
BTW: paraphrasing Dilbert’s boss here to support Scott Adams. He is cancelled by the woke cult.
So do mine as well! What are the odds!
I use a variant of this. My password manager stores a long random string, I know a long phrase, I combine the 2 and hash a number of times to produce my password. That way the password is never stored by me
Yes, obviously there are lots of ways to generate a password, but you are sacrificing convenience for a long process of string concatenation, multiple hashing etc.
CorrectHorseBatteryStapleq#W7
make a memorable weird and funny sentence drawn from your own life and use the letters in the sentences and then add 12 random numbers and 3 symbols.
for example: my high school chemistry teacher Mary Lopez had an affair with the gym teacher Paul Watson.
that would translate to mhsctMLhaawtgtPW#120925@961275!
😂