WEBVTT - Techstuff Classic: TechStuff Looks at Password Security 0:00:04.240 --> 0:00:07.240 Welcome to tech Stuff, a production of I Heart Radios 0:00:07.320 --> 0:00:14.000 How Stuff Works. Hey there, and welcome to tech Stuff. 0:00:14.240 --> 0:00:17.360 I'm your host, Jonathan Strickland. I'm an executive producer with 0:00:17.400 --> 0:00:19.840 How Stuff Works in my Heart Radio, and I love 0:00:19.840 --> 0:00:22.880 all things tech. I decided to deliver it that way 0:00:23.040 --> 0:00:25.680 because Tary was going to lipstick it with me otherwise. 0:00:26.680 --> 0:00:29.880 I am here to give you a classic episode of 0:00:29.920 --> 0:00:32.400 tech Stuff, and I thought for a while that I 0:00:32.400 --> 0:00:34.760 should re enact the entire thing and do all the 0:00:34.880 --> 0:00:37.519 voices for me and for Chris, but Sary reminded me 0:00:37.560 --> 0:00:40.000 that I also want to get home today, so instead, 0:00:40.040 --> 0:00:42.479 we're just gonna play this classic episode for you. It 0:00:42.560 --> 0:00:45.720 is called tech Stuff looks at Password Security, and it 0:00:45.840 --> 0:00:50.959 dates from September nineteen, two thousand twelve. Enjoy Security has 0:00:51.120 --> 0:00:52.920 been in the news a lot lately as of the 0:00:52.960 --> 0:00:56.680 time we're recording this in lead August two thousand twelve, UM, 0:00:56.720 --> 0:00:59.600 and part of that is because, as we have touched 0:00:59.640 --> 0:01:02.120 on an a handful of times since some of the big, 0:01:03.040 --> 0:01:07.440 more widely publicized cases have been making the news that 0:01:08.200 --> 0:01:11.880 you know, hackers have been breaking into different accounts at 0:01:12.040 --> 0:01:17.280 major corporations online, stealing people's information. It's unclear whether people's 0:01:17.280 --> 0:01:19.680 credit card numbers were stolen or if we have your 0:01:19.720 --> 0:01:21.760 home address or we know the name of your dog. 0:01:22.000 --> 0:01:24.440 There was a whole story of Matt Honan getting his 0:01:24.720 --> 0:01:29.440 entire digital life hacked because of a vulnerability between the 0:01:29.480 --> 0:01:34.360 systems of Amazon and Apple, which clearly taken a loan, 0:01:35.240 --> 0:01:40.440 clearly were not obvious as problems, but when put together, 0:01:40.560 --> 0:01:43.479 post problems because they were the people who were doing 0:01:43.520 --> 0:01:46.360 the hacking game to the system and put them against 0:01:46.400 --> 0:01:49.000 one another to create a bigger picture that allowed them 0:01:49.000 --> 0:01:51.960 to get the information. Well, uh, you know, people have 0:01:52.040 --> 0:01:55.040 been saying that you need secure password please, and there 0:01:55.040 --> 0:01:57.960 are news reports about this too. People are still using 0:01:58.520 --> 0:02:04.160 password as password or obvious terms one, two, three, four. 0:02:04.240 --> 0:02:08.519 That's the kind of thing an idiot puts on his luggage. Hey, so, 0:02:08.680 --> 0:02:11.880 uh yeah, I mean those kinds of things are still 0:02:11.919 --> 0:02:15.839 in practice, and of course you need to use more 0:02:16.000 --> 0:02:20.440 secure passwords, but it's it's it goes deeper than that. 0:02:20.480 --> 0:02:24.960 There's more information out there now about how even using 0:02:25.680 --> 0:02:31.760 stronger passwords alone isn't necessarily going to keep hackers from 0:02:31.800 --> 0:02:35.160 being able to get into your account. So think about 0:02:35.160 --> 0:02:38.040 what you're doing. There's there's several several things that you 0:02:38.120 --> 0:02:41.920 have to consider. One of those is the idea of 0:02:42.040 --> 0:02:46.040 linking accounts together, because that means that should one account 0:02:46.120 --> 0:02:50.640 become vulnerable, then those other linked accounts could also be vulnerable. 0:02:51.280 --> 0:02:54.320 That was the case with Matt Honan, right. So one 0:02:54.320 --> 0:02:57.359 of the many problems of his yes UM because more 0:02:57.360 --> 0:03:00.200 identifiable problems because once they got to access to his 0:03:00.280 --> 0:03:03.120 Google account, then they were able to reset stuff all 0:03:03.120 --> 0:03:05.080 over the place. And then it turned out that all 0:03:05.120 --> 0:03:07.600 they really wanted was to access his Twitter account, which 0:03:07.639 --> 0:03:11.320 is I guess in a way he's fortunate, but it's 0:03:11.320 --> 0:03:13.760 still pretty crazy everything that they managed to do in 0:03:13.840 --> 0:03:15.440 order to do that, and they caused quite a bit 0:03:15.480 --> 0:03:19.240 of damage along the way to mattahone in anyway not 0:03:19.320 --> 0:03:23.280 to mention to the the the public perception of security 0:03:23.880 --> 0:03:27.239 UM on the back end. So that's one thing is 0:03:27.280 --> 0:03:31.280 linking lots of accounts together holds a very specific danger. 0:03:31.320 --> 0:03:34.480 I mean, for one thing like Facebook Connect or really 0:03:34.520 --> 0:03:38.080 any open i D approach, right, if that system is 0:03:38.120 --> 0:03:41.360 not secure, you have a single point that you can 0:03:41.440 --> 0:03:44.640 target that will give you access to lots of stuff. 0:03:45.360 --> 0:03:50.240 Now that's so sad because for us, the consumer that's 0:03:50.280 --> 0:03:52.840 so helpful. Yeah, having one account that you can log 0:03:52.880 --> 0:03:57.000 into and from there you can authenticate with multiple other services. 0:03:57.360 --> 0:04:01.440 You don't have to form after form after form. Uh, 0:04:01.680 --> 0:04:05.080 you know, it's it is a very valuable service now. 0:04:05.200 --> 0:04:08.320 And I'm not saying that that Facebook Connect or Open 0:04:08.360 --> 0:04:10.840 Idea or any of that is that they are not secure. 0:04:10.920 --> 0:04:13.760 They're putting they're putting lots of protections in place to 0:04:13.800 --> 0:04:17.599 try and keep user information as safe as possible. It's not. Yeah, 0:04:17.600 --> 0:04:20.600 it's not so much that it's inherently wrong, as that 0:04:21.080 --> 0:04:25.400 if something does happen, it can cause serious problems. Right. 0:04:25.480 --> 0:04:28.960 So that's one issue. Another issue is the way that 0:04:29.000 --> 0:04:33.000 we create passwords as users for those of us who 0:04:33.200 --> 0:04:38.839 are using either very common words or even names. Um, 0:04:38.920 --> 0:04:40.839 even if we think we're being clever by adding a 0:04:40.839 --> 0:04:44.159 few numbers to it, that's not really that secure. And 0:04:44.640 --> 0:04:49.680 if it becomes even more insecure if we're using those 0:04:50.800 --> 0:04:57.919 passwords at multiple accounts. So I think, uh, we we were. 0:04:57.960 --> 0:05:01.279 We both read an article from Ours Technical by Dan 0:05:01.320 --> 0:05:05.080 Gooden called why passwords have never been weaker and crackers 0:05:05.080 --> 0:05:07.760 have never been stronger. It's actually it's a fascinating read, 0:05:07.800 --> 0:05:09.640 and I do recommend you check it out if you 0:05:09.760 --> 0:05:12.240 find this episode interesting, where even if you don't, it's 0:05:12.279 --> 0:05:15.480 a good thing to know. And uh, it's it's typically 0:05:15.839 --> 0:05:19.440 our technical typically get into more technical detail than than 0:05:19.560 --> 0:05:21.880 articles on how stuff works dot com. But if you're 0:05:21.920 --> 0:05:23.840 if you're really serious about it, there there's a lot 0:05:23.839 --> 0:05:26.400 of important information in there, and we can give you 0:05:26.480 --> 0:05:29.960 kind of the layman approach to what is going on here. 0:05:30.040 --> 0:05:32.000 But part of that is that I remember reading, and 0:05:32.000 --> 0:05:33.680 it may not have been in this article, I do 0:05:33.720 --> 0:05:36.839 remember reading a statistic that the average user has something 0:05:36.880 --> 0:05:39.719 like six and a half passwords. That's in there. Okay, 0:05:39.880 --> 0:05:41.760 so they use six and a half past and you know, 0:05:41.839 --> 0:05:43.479 of course this is an average. We're not saying someone 0:05:43.520 --> 0:05:45.960 out there's just putting, you know what, I was gonna 0:05:46.000 --> 0:05:48.479 type in my whole password, which is typically password, and 0:05:48.480 --> 0:05:50.680 I'm just gonna type in pass for this one. No, 0:05:50.839 --> 0:05:53.800 that's not what it means sword, it's the average. So 0:05:53.960 --> 0:05:56.239 but that means that, you know, you think the average 0:05:56.240 --> 0:05:59.800 person has around twenty five accounts across the web, but 0:05:59.839 --> 0:06:02.720 they're using on average six and a half passwords, so 0:06:03.080 --> 0:06:06.000 each password is being used for around three times on average. 0:06:06.040 --> 0:06:07.839 I mean that's again an average. You might have just 0:06:07.920 --> 0:06:10.240 one password that used twenty times and the other three 0:06:10.360 --> 0:06:13.000 used the other five. Well, I don't want to use 0:06:13.040 --> 0:06:17.120 the same password on Google, and yeah, who's so I'll 0:06:17.200 --> 0:06:19.120 use one for one and the other one for the other, 0:06:19.200 --> 0:06:23.000 and then I'll use the Google one again for pest 0:06:23.520 --> 0:06:26.280 or whatever one for Facebook because they are those are 0:06:26.360 --> 0:06:29.200 disconnected enough where it's not gonna know. That's still a 0:06:29.200 --> 0:06:31.680 problem unless you think that I am a super genius, 0:06:31.760 --> 0:06:34.799 because I can say this, no, I I reused passwords 0:06:34.800 --> 0:06:37.160 from time to time too. I'm guilty of it, just 0:06:37.240 --> 0:06:40.640 as much as the planet. I was awful for a 0:06:40.680 --> 0:06:44.679 long time. Passwords among Yeah there were that was pretty 0:06:44.720 --> 0:06:46.920 much mine too. I had about three passwords that I 0:06:47.040 --> 0:06:49.360 used for almost everything. That is no longer the case. People, 0:06:50.080 --> 0:06:52.000 I don't do that anymore. Well, I told you I 0:06:52.000 --> 0:06:55.320 didn't mean you erase all those accounts anyway. So that's 0:06:56.080 --> 0:06:58.720 that's another user behavior, and we'll get more into that 0:06:58.760 --> 0:07:02.559 in a minute. But then the third piece is how 0:07:03.640 --> 0:07:08.480 safe are those passwords within the databases of the companies 0:07:08.520 --> 0:07:13.680 that hold those passwords. So if you are a cracker, 0:07:13.920 --> 0:07:15.880 you know a hacker who is specifically trying to crack 0:07:15.880 --> 0:07:21.600 into security systems, and you have identified a potential target 0:07:21.640 --> 0:07:26.720 to try and get at their password database, then uh, 0:07:26.840 --> 0:07:29.880 if it's if it's one where the user base of 0:07:29.920 --> 0:07:35.320 that service or company also typically has accounts at other places. 0:07:35.920 --> 0:07:38.800 You've managed to not just get the passwords for that 0:07:38.920 --> 0:07:42.480 one account, but knowing that people tend to reuse their passwords, 0:07:42.720 --> 0:07:48.800 you might actually have access to multiple services. Now, there 0:07:48.840 --> 0:07:51.000 are ways that companies can protect against this, not just 0:07:51.160 --> 0:07:54.000 by building a good security system that's hard to crack, 0:07:54.680 --> 0:07:59.560 but also by uh encrypting those passwords in the database 0:08:00.120 --> 0:08:03.000 that if you get that database, yes you've got a 0:08:03.000 --> 0:08:06.600 whole bunch of data, but it does not translate directly 0:08:06.680 --> 0:08:10.680 to the passwords because it's been put through a hashing algorithm. Yeah, 0:08:10.920 --> 0:08:14.880 and there's there are several sort of standard hashing algorithms. 0:08:15.200 --> 0:08:19.080 So basically it's a it's a little like email encryption too. 0:08:19.760 --> 0:08:22.840 So you have, let's just pick pass the four letter 0:08:22.840 --> 0:08:26.040 word pass um, you put it through the hashing algorithm, 0:08:26.280 --> 0:08:28.760 and on the other side of that, it the letters 0:08:28.760 --> 0:08:32.760 and numbers that make up the encrypted information look nothing 0:08:32.840 --> 0:08:35.680 like that. And it might be that your four letter 0:08:35.800 --> 0:08:39.120 password has just become a thirty two letter encrypted string 0:08:39.200 --> 0:08:42.600 of characters. Yeah, so somebody seeing that written down, say 0:08:42.640 --> 0:08:45.360 on a piece of paper, is not going to have 0:08:45.400 --> 0:08:47.280 any idea what that is, and they're not really going 0:08:47.320 --> 0:08:51.520 to have any way to decipher it. And theoretically it's 0:08:51.559 --> 0:08:56.000 pretty well, uh, pretty well protected, right theoretically, But here's 0:08:56.040 --> 0:08:58.480 the problem is that not first of all, not every 0:08:58.520 --> 0:09:03.440 company has historically encrypted all those passwords. And there have 0:09:03.600 --> 0:09:07.560 been cases where crackers have gotten access to a password 0:09:07.600 --> 0:09:10.800 database that was stored in plain text. That means that 0:09:10.880 --> 0:09:14.719 the password that you type in appears in that database 0:09:14.960 --> 0:09:18.760 as you typed it, so there's no hidden you know, 0:09:18.840 --> 0:09:22.000 code or anything. You've got those passwords, Well, that's very 0:09:22.080 --> 0:09:24.600 valuable to a cracker for more than just the fact 0:09:24.600 --> 0:09:27.120 that they now have access to your account. What's also 0:09:27.280 --> 0:09:30.360 valuable is that they now have a list of words 0:09:30.440 --> 0:09:36.480 that people use as passwords. So, uh, there's a there's 0:09:36.520 --> 0:09:38.600 a type of attack we should talk about, the brute 0:09:38.640 --> 0:09:43.200 force attack. A brute force attack is when a cracker 0:09:43.280 --> 0:09:47.000 tries to get access to a system by filling out 0:09:47.040 --> 0:09:51.120 the essentially filling out the password field multiple times until 0:09:51.160 --> 0:09:56.120 they get a positive result. And um, one way of 0:09:56.120 --> 0:09:58.480 doing a brute force attack. A very common way is 0:09:58.520 --> 0:10:01.240 to do what's called a dictionary at at where you take. 0:10:01.600 --> 0:10:05.920 You create a virtual dictionary of words that you use 0:10:06.120 --> 0:10:08.680 as the basis for passwords. Knowing that a lot of 0:10:08.720 --> 0:10:12.760 people will pick a common dictionary word as the basis 0:10:13.080 --> 0:10:16.080 of their password hard wark, antelope, ant eater, you know, 0:10:16.080 --> 0:10:18.160 and it just goes all the way through to pick 0:10:18.240 --> 0:10:21.360 animals for some reason. But something else that they'll do 0:10:21.440 --> 0:10:24.680 as part of this dictionary attack what they'll start adding 0:10:25.360 --> 0:10:28.680 changing symbols. So let's say your your password is hardwark, 0:10:29.440 --> 0:10:33.760 but you're being clever and changing the a's symbols at 0:10:33.800 --> 0:10:36.840 symbols and uh, you know, let's see you pick a 0:10:36.880 --> 0:10:39.560 word with with ease in it and you change them 0:10:39.600 --> 0:10:43.000 to threes. They try those two, Yeah, because those are 0:10:43.120 --> 0:10:46.160 very common approaches. And yes, you know, keeping in mind 0:10:46.200 --> 0:10:48.400 that most of us are using passwords that are easy 0:10:48.440 --> 0:10:53.040 for us to remember, and the more random ish or 0:10:53.120 --> 0:10:56.200 seemingly random these passwords get, the harder it is for 0:10:56.280 --> 0:10:59.760 us to recall them. So, knowing that's a weakness, the 0:11:00.040 --> 0:11:02.319 racker can say, all right, well, let's go with all 0:11:02.360 --> 0:11:05.600 these words, and let's go with the various variations we 0:11:05.600 --> 0:11:08.559 would expect people to use with these words. And even 0:11:08.640 --> 0:11:10.400 if you've done stuff like just added a couple of 0:11:10.480 --> 0:11:13.400 numbers at the end, that's not always a tough thing either. 0:11:13.480 --> 0:11:16.800 They can start going through all of these different variations 0:11:17.120 --> 0:11:19.240 adding various numbers at the end. If they know how 0:11:19.240 --> 0:11:22.679 many characters your password is, that already has given them 0:11:22.920 --> 0:11:26.120 a huge advantage. And the reason why this is possible 0:11:26.200 --> 0:11:29.440 is because we've got processors out there that can do 0:11:29.520 --> 0:11:32.360 these these calculations in parallel. You know, if you were 0:11:32.400 --> 0:11:35.240 to do them all one after the other, it may 0:11:35.280 --> 0:11:39.760 take you centuries to get through all the possibilities of 0:11:39.800 --> 0:11:43.559 a particular password, depending on how many characters there are 0:11:43.640 --> 0:11:46.800 within that password. Hey guys, it's Jonathan from two thousand nineteen. 0:11:47.080 --> 0:11:50.479 I just hacked into this classic episode because the password 0:11:50.520 --> 0:11:54.640 protection was laughable. It was just palette one to three. 0:11:55.080 --> 0:11:57.640 So I'm gonna mess around with some stuff. But let's 0:11:57.640 --> 0:12:07.080 take a quick break while I do that. In Hollywood, 0:12:07.080 --> 0:12:10.400 Hollywood computers can do an executive brute force attack in 0:12:10.440 --> 0:12:13.480 about twelve seconds. Yeah, well, sometimes that can happen here too, 0:12:13.520 --> 0:12:15.720 but that's generally not the way it works. Well, that's 0:12:15.840 --> 0:12:17.880 that's one of the interesting things about this article is 0:12:17.920 --> 0:12:21.600 you learn from reading that UH an attack like this 0:12:21.760 --> 0:12:27.880 doesn't take very long at all, that at most, assuming 0:12:27.880 --> 0:12:34.040 that you're not following really really strong password particles. UM. Yeah, 0:12:34.120 --> 0:12:37.120 it turns out that it's like, because of this parallel processing, 0:12:37.160 --> 0:12:42.240 you've got a processor that's working on multiple UH approaches 0:12:42.280 --> 0:12:44.600 to this logan attempt. So we can go through all 0:12:44.640 --> 0:12:48.719 these different variations, even when there are billions and billions, 0:12:49.320 --> 0:12:53.640 as Karl Sagan would say, variations of passwords, the processor 0:12:53.720 --> 0:12:56.520 can go through so many so quickly. You know, each 0:12:56.600 --> 0:12:59.319 each thread in that parallel processing is movie got an 0:12:59.320 --> 0:13:03.760 incredible rate, and you've got multiple threads all going UH. 0:13:03.800 --> 0:13:07.320 There are crackers who use graphics processing units GPUs to 0:13:07.360 --> 0:13:10.120 do this. They because the GPUs are designed to be 0:13:10.120 --> 0:13:14.080 parallel processors. Yeah. Even even though they're designed primarily to 0:13:14.320 --> 0:13:18.920 handle graphics instructions and display them on your your monitor, 0:13:19.400 --> 0:13:24.400 GPUs can be UH pressed into service, let's say, by 0:13:25.040 --> 0:13:29.520 a program by a software that that can specifically UM 0:13:29.679 --> 0:13:33.080 send instructions to it. So what people do, UM, there 0:13:33.080 --> 0:13:36.840 are open source programs that you can use to UH 0:13:37.200 --> 0:13:42.640 assign password cracking to your GPU. UM sad to say, 0:13:42.720 --> 0:13:45.280 and and one of the uh, the interesting stories that 0:13:45.360 --> 0:13:47.120 are One of the interesting bits that I read from 0:13:47.120 --> 0:13:52.640 this article too was uh that people have grown increasingly 0:13:52.840 --> 0:13:57.320 intelligent about the way they save cracked passwords. So they're 0:13:57.360 --> 0:14:03.280 saving up dictionary attack type information. And so if you 0:14:03.400 --> 0:14:08.600 use you know, password one, is your password on one site, um, 0:14:08.640 --> 0:14:11.040 and they want to hack in to your account at 0:14:11.040 --> 0:14:15.840 the House of online Grapefruit, they might try they and 0:14:15.880 --> 0:14:18.240 they've got your information. They could try it there too, 0:14:18.240 --> 0:14:20.040 to see if you've used your password on more than 0:14:20.080 --> 0:14:23.600 one site. So that makes it increasingly dangerous for you 0:14:23.680 --> 0:14:27.600 to use the same password in multiple locations because there 0:14:27.720 --> 0:14:31.560 is a growing database of password information that that people 0:14:31.560 --> 0:14:34.480 are saving and not just throwing away once an attack 0:14:34.560 --> 0:14:37.120 is completely That database also means that they can look 0:14:37.160 --> 0:14:40.520 at things like frequencies like how frequently are people using 0:14:40.520 --> 0:14:43.800 the specific word or variations of this word as a password. 0:14:44.040 --> 0:14:46.480 And the more people who use it, the more you're like, 0:14:46.520 --> 0:14:48.440 all right, well let's bump this up the list. It's 0:14:48.480 --> 0:14:51.360 more of a likely candidate for a password. So, you know, 0:14:51.600 --> 0:14:53.920 we like to think that the passwords we choose are unique, 0:14:54.560 --> 0:14:57.880 but that's if we're basing it off a name or 0:14:57.920 --> 0:15:01.320 a word. That's not the case. Are lots of people 0:15:01.360 --> 0:15:03.920 out there using lots of passwords, and there's a good 0:15:04.000 --> 0:15:06.040 chance that someone out there is using the same quote 0:15:06.120 --> 0:15:09.880 unquote unique password. You are. Just remember your unique just 0:15:10.000 --> 0:15:14.240 like everybody else. You know, when everybody is special, no 0:15:14.320 --> 0:15:21.600 one is. It's incredible. Um. The so yeah, the the 0:15:21.600 --> 0:15:24.960 the database can tell the cracker all right, Well, not 0:15:25.000 --> 0:15:27.120 only am I using a dictionary attack, but I'm using 0:15:27.280 --> 0:15:31.520 a curated dictionary attack in a way, because these are 0:15:31.560 --> 0:15:34.480 the known passwords that are floating out there in the world, 0:15:34.560 --> 0:15:36.320 and these are the ones that are really popular that 0:15:36.360 --> 0:15:39.080 lots of people use. So we'll go through all the 0:15:39.160 --> 0:15:42.040 variations of these first, and you just you tweak your 0:15:42.040 --> 0:15:45.400 cracking program to do that so that you can get 0:15:45.440 --> 0:15:48.680 the the largest number of results in the least amount 0:15:48.720 --> 0:15:50.800 of time. And another thing you can do is once 0:15:50.840 --> 0:15:54.600 you've figured out these passwords that are very popular, that 0:15:54.720 --> 0:15:57.520 helps you determine other things, like there are only so 0:15:57.560 --> 0:16:01.440 many hashing algorithms that are really popular out there in 0:16:01.440 --> 0:16:04.960 the world of computer security, right, so if you know 0:16:05.040 --> 0:16:10.320 which hashing algorithm there the particular company is using, and 0:16:10.440 --> 0:16:12.840 you are able to get let's say you get access 0:16:12.840 --> 0:16:15.920 to their encrypted password database. So now you've got a 0:16:16.000 --> 0:16:19.080 list of passwords that are encrypted, so you cannot just 0:16:19.240 --> 0:16:21.840 look at them and know what the passwords are. If 0:16:21.840 --> 0:16:24.640 you are able to determine which security protocol they're using, 0:16:25.120 --> 0:16:29.360 and you have this massive database of um of of 0:16:29.640 --> 0:16:32.560 of passwords that are really popular, you can run those 0:16:32.560 --> 0:16:36.400 passwords through the same encryption algorithm to look at the 0:16:36.480 --> 0:16:39.120 hashes that come out and then start matching them up 0:16:39.160 --> 0:16:41.560 with the stuff that was in the database. So you're 0:16:41.560 --> 0:16:43.840 still cracking the passwords, you're just going about in a 0:16:43.880 --> 0:16:47.440 different way as far as this brute force attack is concerned. 0:16:47.440 --> 0:16:50.040 It's still a brute force attack. It's just doing it 0:16:50.120 --> 0:16:54.000 in a kind of an odd roundabout way because you've 0:16:54.000 --> 0:16:56.840 got the you've got the hash of the password, you've 0:16:56.880 --> 0:16:59.840 got the security protocol that's being used. Now you're trying 0:16:59.840 --> 0:17:03.960 to yes the original word that created that hashed password. 0:17:04.480 --> 0:17:06.880 Once you're able to do that, that account is no 0:17:06.920 --> 0:17:09.840 longer secure. And if that again, if you're using that 0:17:09.880 --> 0:17:13.960 same password elsewhere, those accounts aren't secure. Um, So you 0:17:14.000 --> 0:17:17.000 might be asking yourself, hey, if there are crackers out 0:17:17.040 --> 0:17:21.000 there who have these really advanced tools that can either 0:17:21.680 --> 0:17:25.360 figure out a password or uh, you know, kind of 0:17:25.560 --> 0:17:29.040 worked on a list so that the passwords I use 0:17:29.080 --> 0:17:32.760 are vulnerable. How do I how do I protect myself? 0:17:33.320 --> 0:17:34.800 And there are a few things you can do. One 0:17:35.000 --> 0:17:39.240 is use a unique password for every service that you 0:17:39.359 --> 0:17:43.320 log into, which is incredibly difficult if you're doing it 0:17:43.359 --> 0:17:45.960 on your own, which is why I would suggest getting 0:17:45.960 --> 0:17:49.280 a password manager program. And there are a lot of 0:17:49.320 --> 0:17:52.400 them out there. There are some that are free, there's 0:17:52.440 --> 0:17:55.240 some that you pay for. Um, there's some that are 0:17:55.240 --> 0:17:58.439 in the cloud. There are some that are based on 0:17:58.520 --> 0:18:02.959 your system. Yeah. Uh, you use a password manager, right, 0:18:03.560 --> 0:18:06.680 I do as well. UM, I'll go ahead and say 0:18:06.680 --> 0:18:10.000 which one I use. I use dash Lane, which I 0:18:10.160 --> 0:18:12.600 tried out for the first time this year and I 0:18:13.119 --> 0:18:17.280 like it well enough. Um. It saves passwords and if 0:18:17.320 --> 0:18:19.959 you want, it will generate a password for you, so 0:18:20.040 --> 0:18:22.600 you don't have to just come up with a string 0:18:22.640 --> 0:18:24.840 of things. It'll it'll do it for you and save 0:18:24.880 --> 0:18:28.639 it to your account. You create a master password that 0:18:28.880 --> 0:18:32.480 is a strong password, meaning that there are upper and 0:18:32.520 --> 0:18:36.240 lower case letters. There's also numbers in there. Uh, and 0:18:36.280 --> 0:18:38.639 all you have to do is remember that one. Which 0:18:39.040 --> 0:18:41.320 that sounds tricky, but I'll give you a hint on 0:18:41.400 --> 0:18:43.679 how to do something like that. If you want to 0:18:43.680 --> 0:18:47.480 try it yourself, you create a master password. Uh. Then 0:18:48.480 --> 0:18:51.639 when you log into your dash Ling account in my case, 0:18:52.440 --> 0:18:54.520 you then have access to all the other passwords that 0:18:54.600 --> 0:18:57.280 are that that dash Lane generates. So I actually went 0:18:57.280 --> 0:19:01.320 in to all my accounts and use the dash Lane 0:19:01.560 --> 0:19:05.359 password generator program, and it creates a ten character long 0:19:05.920 --> 0:19:10.800 strong password that's unique. So none of my accounts used 0:19:10.840 --> 0:19:14.720 the same ones anymore. They're all ten characters long. They 0:19:14.760 --> 0:19:19.879 are a mix of various characters and uh. When you 0:19:19.960 --> 0:19:24.119 get to about nine characters, and if it's a truly 0:19:24.520 --> 0:19:27.880 you know at least a seemingly random series of characters 0:19:27.880 --> 0:19:33.560 and numbers. Uh. The difficulty of cracking that password escalates dramatically, 0:19:34.359 --> 0:19:36.600 So I might go from a matter of days, two 0:19:36.600 --> 0:19:39.760 weeks or months. And the harder you make it to crack, 0:19:40.560 --> 0:19:45.600 the more likely your information will be safe so or 0:19:45.640 --> 0:19:48.560 that it will just be difficult for anyone to guess. Um. 0:19:48.760 --> 0:19:51.959 So that's the purpose of creating these strong passwords and 0:19:52.000 --> 0:19:55.520 the purpose for the password managers, because strong passwords are 0:19:55.520 --> 0:19:58.959 hard to remember. Um, So all I have to do 0:19:59.000 --> 0:20:01.879 is remember my one master password here's the hint I 0:20:01.960 --> 0:20:04.080 was gonna make. So if you want to make a 0:20:04.280 --> 0:20:10.080 strong password, like a master strong password, uh, it's best 0:20:10.119 --> 0:20:13.240 that you come up with a phrase that you will 0:20:13.280 --> 0:20:17.320 not forget and it it's great if the phrase also 0:20:17.440 --> 0:20:21.879 has a proper noun somewhere after the first word, so 0:20:21.880 --> 0:20:24.360 that you have some capitals in there as well. And 0:20:24.480 --> 0:20:27.160 you need a number, like a four digit number is best. 0:20:28.000 --> 0:20:32.719 So for example, you might say Dad's first car was 0:20:33.280 --> 0:20:38.480 a nineteen fifty six Volkswagen Bug. M all right, So 0:20:38.520 --> 0:20:41.119 then your password. You take the first letter off of 0:20:41.200 --> 0:20:43.800 each of those words and the number and you put 0:20:43.880 --> 0:20:47.600 them together and that becomes your password. So the first 0:20:47.640 --> 0:20:50.960 letter would be upper case D for Dad's then first car, 0:20:51.040 --> 0:20:54.760 so it's upper case D, lower case F, lower case C, 0:20:55.480 --> 0:20:59.040 lower case W, lower case A. Then you have the 0:20:59.080 --> 0:21:04.159 one X and then percase v U percase B for 0:21:04.320 --> 0:21:08.040 Volkswagen Bug. That could be your master password. And when 0:21:08.040 --> 0:21:10.960 you look at it as just a string of letters 0:21:11.000 --> 0:21:15.080 and numbers, it looks meaningless. You know, there's no there's 0:21:15.119 --> 0:21:18.920 no phrase that's evident right there immediately unless you happen 0:21:19.000 --> 0:21:22.160 to have already known it. So don't tell people you're oh, 0:21:22.200 --> 0:21:26.359 I gotta change my password. Yeah, but no, don't tell 0:21:26.400 --> 0:21:29.359 people what your phrases, but make it a phrase that 0:21:29.560 --> 0:21:34.159 is easy to remember. And uh and that could be 0:21:34.200 --> 0:21:38.320 your master password, and don't use it again. Just use 0:21:38.359 --> 0:21:41.480 it for your master password and then use the password 0:21:41.520 --> 0:21:44.919 generator or a password generator if you don't want to 0:21:45.240 --> 0:21:48.159 trust one thing with it. But it's it's easier to 0:21:48.280 --> 0:21:51.480 use a password managers on board password generator because it 0:21:51.520 --> 0:21:54.800 can save it directly to your account. Otherwise you're gonna 0:21:54.800 --> 0:21:58.959 have to transfer that that password to whatever your manager 0:21:59.080 --> 0:22:04.480 is UM and then that way you've got a vault 0:22:04.520 --> 0:22:10.240 of passwords that are encrypted that are ten characters, hopefully 0:22:10.280 --> 0:22:12.760 at least ten characters nine or ten characters at the 0:22:12.920 --> 0:22:18.960 very least, and are strong. It's funny. It's it's rather 0:22:19.000 --> 0:22:22.080 than coming up with a mnemonic device to remember your password, 0:22:22.119 --> 0:22:25.960 you start with them mnemonic device and from it from it. Yeah, 0:22:25.960 --> 0:22:28.440 I think that that's way easier because that is I've 0:22:28.560 --> 0:22:33.480 used a password generator before that creates a random string 0:22:33.520 --> 0:22:36.840 of characters and then tells you it's easy to remember this. 0:22:37.240 --> 0:22:42.080 Just remember echo bravos seven delta delta bro. You know, 0:22:42.119 --> 0:22:44.960 I'm like, this is that where are you from where 0:22:45.000 --> 0:22:48.960 that is easy? How is how is remembering a random 0:22:49.000 --> 0:22:53.240 selection of echoes and Bravos and etcetera and numbers easier 0:22:53.280 --> 0:22:56.600 than say, just remembering e e blah blah. You know, 0:22:56.640 --> 0:22:59.720 like that's not easier to me. But this other method 0:22:59.720 --> 0:23:03.840 where you create a pmneumonic device first and then convert 0:23:03.880 --> 0:23:07.760 that into a strong password makes way more sense to me. 0:23:09.000 --> 0:23:14.000 And uh again because you know the output of it 0:23:14.119 --> 0:23:18.480 is a seemingly random string of letters and numbers. Uh, 0:23:18.600 --> 0:23:22.600 it's not something that's easy for a computer to guess. Hi, guys, 0:23:22.680 --> 0:23:25.560 it's Jeamvan twenty nineteen. Chris called me up and he 0:23:25.640 --> 0:23:29.040 yelled at me. So I've updated the password. And while 0:23:29.040 --> 0:23:31.160 I'm doing that, we're just, uh, we're gonna take another 0:23:31.240 --> 0:23:41.760 quick break. Well, um, I use one password by agile 0:23:41.800 --> 0:23:45.000 bits um, which is a you can get as a 0:23:45.040 --> 0:23:48.800 desktop application for Windows or Mac. UM also works on 0:23:48.840 --> 0:23:52.400 iOS and Android. UM and uh, you know it has 0:23:52.400 --> 0:23:55.400 a browser plug in too on the desktop, so that 0:23:56.280 --> 0:23:58.800