This Trick Will Make Your Passwords Even More Secure

Поделиться
HTML-код
  • Опубликовано: 26 ноя 2024

Комментарии • 132

  • @deepgsingh
    @deepgsingh Год назад +10

    I was skeptical of watching this video , but then after watching this video can I say "Today I learned". It is really good techinique I never thought of. Awesome , thank you Gary

  • @maartentoors
    @maartentoors Год назад +9

    'Peppering' is a good mitigation (for those in the 'know').
    Not only is it tricky to incorporate, it is neigh impossible to implement or teach company-wide.
    Best (albeit weak) practice is (imho) long passwords (e.g. 14 characters or more) using spaces and/or ASCII characters.
    This will (semi) force users to use sentences.
    A combination of words will reduce the 'brute-force'-likelihood of a breach (especially if there is BF-mitigation implemented).
    All said, Gary, you're a great source for security knowledge.

    • @PrivateUsername
      @PrivateUsername Год назад +2

      Yep. Came here to say this. Length is the main contributor to password strength. Correct Horse Battery Staple, and all that jazz.

    • @maartentoors
      @maartentoors Год назад +1

      @@PrivateUsername What? How did you 'guess' my global-admin password??

    • @BillAnt
      @BillAnt Год назад

      ​@@PrivateUsername- A password's strength is derived from its length and the number of bits used in each character. Ideally you would use all 8 bits in each character for a total of 255 combinations. In reality due to the limitations of the English keyboard, it only allows about 94 unique characters, including lower, upper, and special characters. As long as you're using random characters of at least 30 or more, it's impossible to crack it by brute force using current computing power which of course may change in the future.

  • @taher9358
    @taher9358 Год назад +2

    Gary I wanna give you a hug for this one mate

  • @dezmondwhitney1208
    @dezmondwhitney1208 Год назад +8

    Simple and Effective. A really Helpful Explanation too. Great !

  • @manny7886
    @manny7886 8 месяцев назад +1

    Peppering, or double-blind, I add mine at the beginning instead of at the end.

  • @kered2248
    @kered2248 Год назад +3

    Good stuff, thank you!

  • @NexuJin
    @NexuJin Год назад +1

    I have been using a mnemonic style where I replaces a word with a character and forms a short sentence combined with what you call peppering.
    So for example: ~

    • @MikeWood
      @MikeWood Год назад

      Using three or four words randomly or pseudo-randomly generated to form a sentence and then turning them into a mnemonic is an interesting idea -with the peppering on the end as the change up now and then.

  • @BlueFlyer83
    @BlueFlyer83 8 месяцев назад +1

    Great advice! I watched another RUclipsr who called it a "double blind" password. The password manager never has the full password stored for your high valued sites.

  • @phir9255
    @phir9255 Год назад

    I used to do it myself, the 3 letters I added at the end: the first letter of the month the account was created, the last letter of the site capitalized, the second letter of the site. I don't do it anymore but this allows to have no need to remember these 3 letters. The general idea is to memorize a mental algorithm that you can follow to calculate your password instead of memorizing the password itself.

    • @Victor_Marius
      @Victor_Marius Год назад

      Websites can change their domains or just the TLD and still use the same database making the pepper incorrect

    • @phir9255
      @phir9255 Год назад

      @@Victor_Marius Good point but that happens very rarely

  • @coweatsman
    @coweatsman 9 месяцев назад +1

    I use an offline password manager, Keepass, No server to be hacked. Backing up the database to USB drives, portable storage, mobile phone and other computers and syncing manually. I do not know a single password to any of my accounts, only a pass phrase compiled with diceware, using an actual dice and a printed hard copy dictionary list.

  • @send2gl
    @send2gl Год назад +1

    Interesting technique.

  • @murtadha96
    @murtadha96 Год назад +4

    This is brilliant! Thanks for sharing, I never thought about this

  • @justchilling5448
    @justchilling5448 8 месяцев назад

    Excellent information, thank you.

  • @rahilarious
    @rahilarious Год назад +2

    smart clever trick!!

  • @TravelEndleslie
    @TravelEndleslie Год назад +1

    This is great and helpful. You are a genius!

    • @GaryExplains
      @GaryExplains  Год назад

      Glad it was helpful!

    • @BillAnt
      @BillAnt Год назад

      Wouldn't call it "genius" but definitely clever. :)
      "Genius" would be discovering something extraordinary like capturing dark matter or E=MC2 ;)

  • @JustinWong-w8j
    @JustinWong-w8j Год назад +1

    Thanks, great idea but you need to peppering all your passwords. If no, you may forget which have the pepper

    • @GaryExplains
      @GaryExplains  Год назад

      Not necessarily. You could just use a pepper for your main email account and maybe for your online banking. Everything else leave as it is. That way in the worse case you can change your passwords (since your email is secure), and still access your money.

    • @manny7886
      @manny7886 8 месяцев назад

      I use BitWarden. In the note field, I make a note if it's peppered or not.

  • @olafschermann1592
    @olafschermann1592 Год назад +2

    Great and simple technique ❤

  • @roku_nine
    @roku_nine Год назад +2

    Very informative!

  • @mick_hyde
    @mick_hyde Год назад

    Good idea, I already do this. 👍

  • @test40323
    @test40323 Год назад +2

    Clever but my swiss cheese brain will have trouble remembering the pattern 6 months from now. Awesome idea though.

    • @jonpinkley2844
      @jonpinkley2844 Год назад

      Then write down your password manager master password and the algorithm you use for pepper, and store it in a safe place (and not in your computer). You store your confidential papers somewhere don't you?

  • @uidx-bob
    @uidx-bob Год назад +1

    Chuck Norris doesn’t use passwords. He is the password.

    • @BillAnt
      @BillAnt Год назад

      Chuck Norris doesn't need a password, he just breaks the login with a kick. ;D

  • @GustavoMsTrashCan
    @GustavoMsTrashCan Год назад

    My "cookie cutter password" is (very basically), Symbol,Uppercaseletter,Lowercaseletter,number,Uppercaseletter,lowercaseletter,number,symbol,Uppercaseletter,lowercaseletter,number,Uppercaseletter,lowercaseletter,number,symbol. Works 100% and took me two tries to fully remember it. :^)

    • @benfubbs2432
      @benfubbs2432 Год назад

      Someone can write a script to crack your password in about 2 seconds with this information. Delete this and change your passwords immediately. Other than hacking a technique used to get someone's password is called social engineering which basically involves tricking someone into giving out clues about their password. You've given out a huge clue and by the sounds of it you use that password for everything.

    • @GustavoMsTrashCan
      @GustavoMsTrashCan Год назад

      @@benfubbs2432 Oh, my! Haven't you heard? You can also crack someone else's password via A RUclips POST! Just like yours right now. :^)

  • @zine_eddinex24
    @zine_eddinex24 9 месяцев назад

    Thank you 😅

  • @1MarkKeller
    @1MarkKeller Год назад

    *GARY!!!*
    GOOD MORNING PROFESSOR!
    GOOD MORNING FELLOW CLASSMATES!
    Stay safe out there everyone!

  • @khayla_matthews
    @khayla_matthews Год назад

    Brilliant.

  • @OMGWTFLOLSMH
    @OMGWTFLOLSMH Год назад +1

    Simple but great tip. Thanks.

  • @paulgee-i7j
    @paulgee-i7j Год назад

    I'm going to do this with my 100 character bank password that I store in a local password manager that uses a key file as well as a master password , oh , and the bank also requires two factor authentication. Can't be too secure,you know.
    But I'm going to type 1 2 3 4 17 characters in ,instead of at the end. (at least that is what I'm saying I will do)
    Are you related to Veronica Explains?

  • @1MarkKeller
    @1MarkKeller Год назад +1

    BRILLIANT!
    I should do this ASAP.

  • @byronwatkins2565
    @byronwatkins2565 Год назад

    Can we control the server-side salting?

    • @Ken.-
      @Ken.- Год назад

      Yes! Become the CEO!

  • @reefhound9902
    @reefhound9902 Год назад

    Never delete characters. Password length is by far the biggest determinant in security. A 16 character password using nothing but random upper case letters will have a higher entropy rating than a 12 character password randomly generated using uppercase, lowercase, numeric, and special characters. Even a 16 all-numeric password rates nearly as high as the most complex 12 character password. Anyone can verify this using an online password evaluator.

    • @GaryExplains
      @GaryExplains  Год назад

      So what about a 20 character password saved in the password manager and then you delete 4 characters?

    • @reefhound9902
      @reefhound9902 Год назад

      @@GaryExplains The 16 character will be extremely secure but still less so than the 20 character. Why would you want to deliberately reduce the security? Is it much easier to delete 4 than add 4?

    • @reefhound9902
      @reefhound9902 Год назад

      I suppose it might be marginally easier to delete last 4 than remember what 4 you added, if you don't use the same 4 everywhere. But when you hit submit the PWM is going to ask if you want to update password and you need to be sure not to, so that adds a bit of complexity back into it.

    • @GaryExplains
      @GaryExplains  Год назад

      If the password manager is asking to save the new password when you delete 4, it will also ask if you add 4.

    • @reefhound9902
      @reefhound9902 Год назад

      @@GaryExplains Yes it will, which is why the peppering approach makes using a password manager more tedious.

  • @klapas1821
    @klapas1821 Год назад +10

    Extremely informative, thank you professor

  • @Ken.-
    @Ken.- Год назад

    Salting just stops rainbow tables and really doesn't make it any harder for someone to crack an individual password. If a hacker can get the password file, it's likely they will also be able to known or have the salt as well.

    • @Victor_Marius
      @Victor_Marius Год назад

      True. Probably it would be more secure if you would have the salt in the program not the database. Use something like the username or the unique username/ handle or the email or the creation date or all of the above in any order you want and this way you save some database space.

  • @chasonsnotes
    @chasonsnotes Год назад

    What? Nothing beats changing passwords. Nothing beats passphrases or passsentences. I like lines of poetry with words mixed split with periods dashes and or underscores along with character substitution. with this technique I can use the same pass for many places just switching or trading the pass jumble rejumble unjumble. I only have to recall one coded pass. the main thing is I never use the same pass twice on the same place ever. I change every two to 4 months

    • @reefhound9902
      @reefhound9902 Год назад

      Changing passwords is useless in all but a few niche use cases, such as a shared-password case or insecure work environment. A password cracker is going to crack an 8 character password in less than a second, doesn't matter if it's been in use ten years or ten minutes. A password cracker will take billions of years (aka never) to crack a 20 character phrase using a full character set, doesn't matter if it's been in use ten years or ten minutes.

    • @dav1dw
      @dav1dw 9 месяцев назад

      Nothing beats is a bold statement. Similar to "xxxx killer" Also these "Nothing beats..." are outdated.

  • @catmom4265
    @catmom4265 Год назад

    GREAT idea .. I have a system of my own that is like this. I will incorporate this method with mine. Thanks Gary

  • @nycrsny3406
    @nycrsny3406 Год назад +1

    Pretty simple and makes a lot of sense!

  • @prakash_77
    @prakash_77 Год назад +4

    In case of Peppering, one thing I'm anxious about, is the constant popups of password manager (esp browser-based like chrome's own built in) to Update the Password.

    • @reefhound9902
      @reefhound9902 Год назад

      Peppering will make password managers a nightmare to maintain because of this. They will save what you peppered so you will have to edit the database manually.

    • @prakash_77
      @prakash_77 Год назад +1

      @@reefhound9902 Not really, Chrome's password manager prompts you to save and saves only when you click on it. Now you would get prompts to update the password if you modify it when logging in, but that's the extent of it.

    • @manny7886
      @manny7886 8 месяцев назад

      Just ignore the popups. A little inconvenience for a piece of mine, at least in my case.

  • @gretafranklin6336
    @gretafranklin6336 4 месяца назад

    Confusing

  • @DawdaBah-q7o
    @DawdaBah-q7o 10 месяцев назад

    Help for me

  • @STONE69_
    @STONE69_ 10 месяцев назад +1

    Safest place for Passwords are in your head and your home in a encrypted USB drive. Not in Password Managers. .. Do you trust other people with your money, your Business? LOL give your head a shake folks.

    • @dav1dw
      @dav1dw 9 месяцев назад

      Totally disagree

    • @STONE69_
      @STONE69_ 9 месяцев назад +1

      @@dav1dw I do like this for 20 years, never had a problem.

  • @Saurabh.P
    @Saurabh.P Год назад +1

    I always use 3rd method.

  • @allanflippin2453
    @allanflippin2453 Год назад +1

    Gary,
    Thanks for this video. Makes a lot of sense. As before, may I ask a stupid question? At one point, I was determined to write my own password generator based on hashing. I had the code working, but ran into a problem: websites had different rules on what kind of characters they would accept. The special characters I was generating would be considered invalid at some websites but not others. Is there any safe set of rules when generating random text for passwords? Thanks!

    • @john_unforsaken
      @john_unforsaken Год назад

      I would say had you found each website can be different.
      I would include a selection so you can choose what chars to include at any given time. This is what most password managers do.

    • @allanflippin2453
      @allanflippin2453 Год назад

      @@john_unforsaken I thought as much. And this implies that do-it-yourself password generation is not very practical :D

    • @GaryExplains
      @GaryExplains  Год назад +2

      Could you not just use a subset of special characters that works across most (all) sites?

    • @allanflippin2453
      @allanflippin2453 Год назад

      @@GaryExplains That is what I had hoped for. My question is whether others have already come up with a safe set of characters to use. Websites are not exactly forthcoming with their precise password acceptance rules :D

    • @JanJeronimus
      @JanJeronimus Год назад

      Perhaps you van get some inspiration from other password creating programs. There is not one general rule and e.g. on one site perhaps only numbers are allowed and on another site only characters from a to z. So you need to ask put questions like how many characters must the password be ( between .. and .. ) How many numbers, how many characters, upper and lower case, special characters ( and which) .

  • @eyeshezzy
    @eyeshezzy Год назад

    Barefoot Contessa fan too 😅

  • @micanalnotienenombre
    @micanalnotienenombre Год назад

    Really interesting video. Same as many commenters, I was skeptical before watching this, but I can say I learned something today.

  • @vasudevmenon2496
    @vasudevmenon2496 Год назад

    Might not be applicable to all. I tend to forget the entire password that's the reason i went with password manager.

    • @GaryExplains
      @GaryExplains  Год назад

      Yes, that is normally, I can't keep track of the hundreds of passwords I need. But it isn't hard to remember 4 letters. You use the same pepper for all passwords, you don't need to remember a different pepper for each password.

    • @vasudevmenon2496
      @vasudevmenon2496 Год назад

      @@GaryExplains yeah it is. Might give it a go for few sites and see how it goes

  • @Garythefireman66
    @Garythefireman66 Год назад

    Pass the pepper

  • @Techier868
    @Techier868 Год назад +2

    Gaaaaaarrrryyyyy!!!!! 👋🏽

  • @davidrobertson415
    @davidrobertson415 Год назад +1

    You end up using the same password on multiple sites… not good!

    • @GaryExplains
      @GaryExplains  Год назад +1

      No, the password stored by the password manager should be unique per site, but the pepper is the same.

    • @davidrobertson415
      @davidrobertson415 Год назад +2

      @@GaryExplains Thanks for the clarification... I didn't pick that up in the video... My bad.

    • @MikeWood
      @MikeWood Год назад +1

      @@davidrobertson415 It thought this too.

    • @OMGWTFLOLSMH
      @OMGWTFLOLSMH Год назад

      No, you only end up using the same suffix on multiple sites.

  • @chmun77
    @chmun77 Год назад +2

    Good technique indeed! However, if one forgets about the pepper, then it will be as good as all the login credentials are lost. I don't think this technique is for everyone, especially those with poor memories.

    • @benfubbs2432
      @benfubbs2432 Год назад +2

      The pepper could be to literally just add 1 to the end of all passwords, or your initials or your date of birth if someone can't remember that they should probably have a third party controlling their accounts anyway.

  • @TheCârtiță
    @TheCârtiță Год назад

    Sooo, i make a strong password like chocolate cookies and paper it with q1w2 so my password is chocolate cookie q1w2 and to bee extra cheeky iwill remove the last 4 characters. NO MY PASSWORD IS chocolate cookie AN UNSECURED EASY TO BREAK PASSWORD

  • @dav1dw
    @dav1dw 10 месяцев назад

    I had already do peppering, but deleting characters in the saved password and adding my pepper is even better!

  • @starkistuna
    @starkistuna Год назад

    another one I use when using public computers or if I suspect my pc has a virus is using the onscreen keyboard to type it in that way keyloggers cant grab any input. Simpy in windows go to settings /accesibility/onscreen keyboard

    • @Victor_Marius
      @Victor_Marius Год назад

      The settings path is called "Ease of Access"/Keyboard or just Windows Key + CTRL + O.
      Out of curiosity I checked this and you are wrong. A python keyboard module (called "pynput") or let's say a "keylogger" as Windows Security called it makes no distinction between a key press of a physical key and one virtual using the Windows 10 On-Screen Keyboard.

  • @PrabhatXLR8
    @PrabhatXLR8 Год назад

    I use the first way you told. Part is on password manager and part of it in my mind. Although that half part in my mind is common for all my passwords.. So easy to manage all passwords

  • @whothefoxcares
    @whothefoxcares Год назад +1

    L3t M3 3xplain

  • @ToddMoore1
    @ToddMoore1 Год назад +1

    👍🏼Class is in session, thank you professor👍🏼

  • @nick066hu
    @nick066hu 8 месяцев назад

    I use a kind of peppering with my credit cards PIN numbers, I have only one four figure number to remember then I calculate the four numbers I have to add to it to to get a banking cards PIN code. I write these numbers on all my credit cards. When using I have to add my secret number. But I only have to remember this one secret number. I use the same everywhere where a four character PIN is required.
    A number apperaring to be the PIN written on the credit card may also confuse the wrong guys if stolen, they would first try to use it in an ATM, and there is a chance the card gets blocked, so it is more likely they can't use it also for online purchases afterwards.

  • @robertsandy3794
    @robertsandy3794 Год назад +1

    This technique is all very well, however if the server is hacked and if the password database is not encrypted, then this method is of no use

    • @GaryExplains
      @GaryExplains  Год назад

      No, quite the contrary. But before I get into that, it would be quite rare today for a website to have a database that is not encrypted. But to your point, this is exactly why you should do it. If the database is stolen and your password is freely available then the hackers DON'T have your password, there are 4 letters missing, which a) they don't know are missing, b) they don't know the length of what is missing, c) only you know the letters. In other words the exact opposite of what you just wrote.

    • @robertsandy3794
      @robertsandy3794 Год назад +1

      @@GaryExplains If the server database is stolen, if it's not encrypted, how wouldn't the hacker know the password? Whether your password is password1234, it's the one on the server end, not the client end, or have I missed something?
      How many times have sloppy policies on servers been the cause of password theft?

    • @jefferycampbell9182
      @jefferycampbell9182 Год назад +1

      @@GaryExplains But when you create a password for the site, you need to have the whole password to create the login. So they will always know the correct password even if you tell your password manager a different one to save where you add the rest upon it autofilling, so the website gets hacked, they have your password right? I mean they need to know your complete password to log you in.

  • @iamstartower
    @iamstartower Год назад

    easy... write it down backwards

  • @AQDuck
    @AQDuck Год назад

    That's actually pretty smart, it's like public/private key IRL

  • @ernstoud
    @ernstoud Год назад +2

    My password is 8 asterisks. Every website knows my password when I type it. Weird.

    • @fanban2926
      @fanban2926 Год назад

      ???

    • @ernstoud
      @ernstoud Год назад

      BTW: paraphrasing Dilbert’s boss here to support Scott Adams. He is cancelled by the woke cult.

    • @chmun77
      @chmun77 Год назад

      So do mine as well! What are the odds!

  • @johnkressel2178
    @johnkressel2178 Год назад +1

    I use a variant of this. My password manager stores a long random string, I know a long phrase, I combine the 2 and hash a number of times to produce my password. That way the password is never stored by me

    • @GaryExplains
      @GaryExplains  Год назад +5

      Yes, obviously there are lots of ways to generate a password, but you are sacrificing convenience for a long process of string concatenation, multiple hashing etc.

  • @NoEgg4u
    @NoEgg4u 7 месяцев назад

    CorrectHorseBatteryStapleq#W7

  • @spiderjump
    @spiderjump Год назад

    make a memorable weird and funny sentence drawn from your own life and use the letters in the sentences and then add 12 random numbers and 3 symbols.
    for example: my high school chemistry teacher Mary Lopez had an affair with the gym teacher Paul Watson.
    that would translate to mhsctMLhaawtgtPW#120925@961275!